What do we do when we receive a complaint?

This guidance explains what you need to do to meet the new requirements for you to have a data protection complaints process, as set out in the Data (Use and Access) Act. Although these requirements are not in force until 19 June 2026, we think it is useful for this to be published now so that you are ready for these changes. Even before these requirements are in force, we think that what’s set out in this guidance represents good practice.

Contents

Latest updates - 12 February 2026

12 February 2026 - this guidance was published

What do we do when we receive a complaint?

Acknowledge the complaint

You must acknowledge receipt of the complaint within 30 days. What information you include is up to you, but the important thing is that you confirm you’ve received it and you’ll look into it.

How you acknowledge complaints is also up to you, subject to any relevant equality legislation requirements. But it’s likely to be most practical to follow the method the complainant has used, unless they’ve requested you reply using a different method.

You can acknowledge a complaint in different ways, for example:

If you receive a complaint electronically (eg through email or live chat), you could use an automatic response, such as auto-acknowledgement emails. If you receive it through social media, you should ask for an alternative contact method as this is generally not a secure way to send personal information.
If you receive a complaint in writing (eg by post), you could send an acknowledgement letter.
If you receive a complaint verbally (eg over the phone or face-to-face), you could acknowledge this verbally. For example, you could:
- summarise the complaint back to the complainant, so they know you’ve understood the issue;
- ask them their preferred contact method for receiving updates and obtain contact details;
- provide a reference number, if you use them;
- confirm that someone will be in touch to provide updates; and
- follow this up in writing (even if you’ve acknowledged it verbally).

In practice, it’s likely you’ll take a practical approach to acknowledging a complaint. For example, if you contact the person to ask for identification or an alternative contact method, it’s unlikely you’ll contact them again to further acknowledge you have their complaint.

For all complaints, regardless of how you receive them, keeping a record of your acknowledgement can help you show you’ve met your obligations within the 30-day timeframe. There are two important things to know about the timeframe:

The 30 days start the day after you receive the complaint. It doesn’t matter if this day falls on a weekend or a public holiday. The 30 days still start on this day.
If the last day to acknowledge the complaint falls on a weekend or public holiday, you have until the next working day to provide an acknowledgement.

Example

You receive a data protection complaint on Thursday 5 June. The 30 days don’t begin until the start of Friday 6 June. This means 30 days end at the end of Saturday 5 July. However, as this falls on a weekend, you have until the end of Monday 7 July to acknowledge the complaint.

If you have staff absence for certain periods of the year (eg school holidays or sickness), you must make arrangements for acknowledging data protection complaints during these times.

Investigate the complaint

Gather the information

You should start by gathering as much information as you need, including:

look at all the relevant facts thoroughly, fairly and accurately;
speak to relevant members of staff;
compare the information from the complaint with the information you hold; and
check you’ve upheld your own terms, policies and standards.

If you aren't sure what the complaint is about, you should ask the person making it for more information as quickly as possible. This helps you identify which enquiries you need to make. You could also ask what outcome they’re looking for. For example, do they want you to alter a decision you’ve made, apologise for a mistake, or change your processes? This may help you narrow the scope of your investigation and resolve the complaint quickly.

Investigate the complaint without undue delay

You must make enquiries into the complaint without undue delay. In other words, without an unjustifiable or excessive delay.

Your obligation to investigate begins when you receive the complaint, not after the 30-day acknowledgement period.

What is unjustifiable or excessive always depends on the circumstances, and varies from one complaint to another and from one organisation to another. The important thing is to consider all the circumstances of the complaint, not to apply a set period of time as a blanket approach.

The time it takes you to investigate is likely to be impacted by:

the complexity of the issue;
the scale of the issue (eg whether it’s a singular complaint about a recent issue, or a complaint about a number of issues over a longer time period); and
any harm that the complainant is suffering as a result of the unresolved issue.

This isn’t an exhaustive list. There’s likely to be a wide range of factors that influence how long your investigation takes.

If you decide to introduce your own timeframe to use as a guideline, or align with timescales from other guidance or frameworks you already have in place, you must ensure that this doesn’t cause an unjustifiable or excessive delay. If you can complete the data protection investigation in a shorter amount of time than your guideline, you must do that.

You must make an appropriate level of enquiries based on the circumstances of each complaint, and be able to justify why you handled a complaint in the way you did. You’re not required to take steps that would be unreasonable or disproportionate, which will always depend on the circumstances.

Keep people informed

You must keep the person making the complaint updated on the progress of the investigation without undue delay. In practice, it’s likely that you’ll keep the complainant up to date with timeframes and explaining any delays, rather than informing them of the steps you’ve taken so far.

For example, if the investigation is likely to take some time, you must follow up on your initial response so the complainant knows you’re working to resolve the issue. You could provide them with a date for when you expect to finish your investigation and a point of contact for any questions.

Having an open dialogue can build trust and lead to people making fewer complaints to us before you’ve had the opportunity to put things right.

Further reading

For more guidance to check you’ve complied with the law, see our UK GDPR guidance and resources

Record your actions

You should keep a record of:

the date you received the data protection complaint;
your acknowledgement;
any relevant conversations and documents;
the outcome of the complaint; and
any actions you took as a result of your investigation.

This provides evidence of what you’ve done. We, or industry bodies, may ask to see this if a complaint is made about you in the future.

You may wish to record the number of data protection complaints you receive, as well as recurring themes and trends. This will help you to identify potential compliance issues and areas for improvement.

You must not keep personal information for longer than you need it.

Further reading

For more information about record keeping and retention, see Storage limitation, Purpose limitation and Data minimisation in our Guide to the data protection principles. See Records management in our Accountability framework.