Underneath the brand new guidelines for the Information (Use and Entry) Act 2025, organisations that act as information controllers now have to have a transparent course of for dealing with information safety complaints.
Companies now want to provide people a transparent approach to complain on to them about how their private information has been dealt with. In addition they have to acknowledge information safety complaints inside 30 days, examine them with out undue delay, maintain the complainant knowledgeable the place applicable, and inform them the result.
Companies must be updating privateness insurance policies and templates; checking whether or not current procedures are ample for information safety complaints; ensuring the method works throughout the enterprise; and constructing record-keeping into stated course of.
For those who’re operating a rising enterprise, private information is woven into nearly every part you do. Each buyer order, job software, advertising and marketing marketing campaign, web site go to and worker report you retain generates info that must be collected, saved and used responsibly.
From 19 June 2026, there was a brand new purpose to look extra carefully at how all of that info is managed. Underneath the Information (Use and Entry) Act 2025, organisations that act as information controllers now have to have a transparent course of for dealing with information safety complaints.
Though this may sound like a technical change that sits with the compliance workforce, it impacts anybody who may obtain, recognise or reply to a priority about private information, from HR and recruitment by means of to customer support, advertising and marketing, gross sales and even senior administration. That’s as a result of information safety complaints can take totally different kinds they usually could not even be labelled as a criticism.
Listed here are some examples:
Somebody may complain that they’re nonetheless receiving advertising and marketing emails after unsubscribing
A job applicant may ask why their CV remains to be being held months after a emptiness has closed
An worker may query how monitoring or efficiency information has been used
A buyer may be sad that their particulars had been despatched to the mistaken tackle
None of these individuals could point out the UK GDPR or use the phrases ‘private information’ or ‘criticism’ in any respect. Nonetheless, every of these issues may nonetheless elevate a knowledge safety challenge, and in the event that they do then the brand new necessities could apply.
What modified on June 19?
Companies now want to provide people a transparent approach to complain on to them about how their private information has been dealt with. In addition they have to acknowledge information safety complaints inside 30 days, examine them with out undue delay, maintain the complainant knowledgeable the place applicable, and inform them the result.
The 30-day interval begins the day after the criticism is acquired. Weekends and public holidays are included on this timeframe, though if the ultimate day falls on a weekend or public vacation, acknowledgement could be given on the following working day.
For companies with out a devoted compliance workforce, that deadline comes round rapidly. A criticism acquired by means of a generic inbox, social media message or cellphone name could not attain the precise individual right away, and by the point it does, useful time could have already got been misplaced.
The Data Commissioner’s Workplace (ICO) will normally anticipate people to lift their criticism with the organisation first earlier than taking it additional. This creates a helpful alternative for companies to resolve issues early, nevertheless it additionally means they should be able to recognise and reply to complaints correctly once they are available in.
What counts as a knowledge safety criticism?
An information safety criticism is, broadly, a criticism from somebody who believes an organisation has breached information safety legislation in the best way it has dealt with their private information.
That would contain how private info has been collected, used, shared, saved, secured, retained or deleted. It may additionally contain how a enterprise has responded to a topic entry request, the way it has used cookies or monitoring instruments, or whether or not somebody has been given clear sufficient details about what is occurring to their information.
The criticism doesn’t want to make use of authorized language to be classed as one, both. The person doesn’t should confer with the UK GDPR, quote their rights or label the problem as a knowledge safety criticism. If the priority is about how their private information has been dealt with, it must be recognised and handled by means of the precise course of.
The place complaints are probably to come up
The very best-risk areas are sometimes the elements of the enterprise shifting quickest and people who deal with a whole lot of info regarding people. Advertising and e-commerce groups, for instance, rely closely on information corresponding to electronic mail lists, cookies, retargeting campaigns, loyalty schemes and buyer profiles. These can all create compliance threat ought to the consent information be unclear, unsubscribe requests aren’t actioned promptly, or privateness notices haven’t saved tempo with what the enterprise is definitely doing.
For HR and recruitment groups, candidate information can typically be retained for longer than crucial. Staff could not absolutely perceive how their info is getting used for monitoring, absence administration, efficiency monitoring or office know-how. Aggrieved workers could elevate information topic entry requests (DSARs) after which dispute how the DSAR course of is dealt with. As companies develop, casual processes that after labored effectively can rapidly change into tough to handle.
Scale and transparency generally is a problem for tech and app-based companies specifically. When information is collected mechanically and at quantity, people could really feel they’ve little visibility or management. That may make complaints extra probably when one thing goes mistaken.
Healthcare, finance, schooling {and professional} providers companies might also face heightened sensitivity due to the character of the data they deal with. In these sectors, even a comparatively small information safety criticism can carry a bigger reputational threat.
What ought to companies do now?
The excellent news is that compliance doesn’t should be overcomplicated. Most companies have some kind of complaints course of in place already, so this modification ought to imply making focused changes, together with:
Updating privateness notices and related templates. Prospects and shoppers ought to know methods to elevate issues straight with the organisation. Including some easy wording to your privateness notices telling people who to contact about relating to their issues would suffice.
Checking whether or not your current inner processes clearly cowl information safety complaints. Individuals ought to know methods to elevate a criticism, the place it ought to go internally, who owns the response and what deadline applies.
Ensuring the method works in follow throughout the enterprise. Customer support, HR, recruitment, advertising and marketing, gross sales and social media groups don’t have to change into information safety consultants, however they do have to know when a priority about private information must be escalated.
Constructing record-keeping into the method. Companies ought to have the ability to present when a criticism got here in, when it was acknowledged, who reviewed it, what response was given and whether or not any follow-up motion was wanted.
Your precedence is ensuring that it’s clear, joined up and understood by the individuals probably to obtain complaints first.
Becky White is a senior solicitor (information safety) at legislation agency, Harper James.
Learn extra
How a serious glitch by Corporations Home revealed an uncomfortable reality about enterprise information – The Corporations Home incident highlighted the outdated means enterprise information is dealt with in a time the place fraud is rife. That is how we overcome it
Linking your communications is the important thing to raised information and visibility – Information siloes are the most important barrier to visibility. Unifying your communications gives you a a lot clearer overview – right here’s how
