How does the ICO data protection complaints process work?

If an individual is unhappy with how an organisation handles their personal data, they can submit a complaint to the ICO. The ICO will review whether the data controller followed proper complaints procedures, acknowledged the complaint within 30 days, and investigated the issue.

What triggers an ICO audit under the DUAA?

Failing to have a complaints process or register, failing to acknowledge complaints within 30 days, or unreasonable delays in communicating outcomes can trigger regulatory audits.

Is this template pack ICO-aligned?

Yes, our policy and CSV tracker templates are designed to align with the core complaints-handling workflow expected by the ICO.

Author: Compliance Editorial TeamPublished: 18 June 2026

ICO Data Protection Complaints Process: Controller Requirements

Get an instant complaints policy, website notice templates, and internal log register for £20.

Get Compliant Pack – £20

When handling UK data privacy compliance, aligning with the **ICO data protection complaints process** is critical. Under the **Data (Use and Access) Act 2025 (DUAA)** coming into force on **19 June 2026**, data controllers must operate public data complaints channels and maintain audit logs.

How the ICO Handles Complaints

Under Section 103 of the DUAA (which inserts Section 164A into the Data Protection Act 2018), individuals have a statutory right to complain directly to a data controller regarding how their personal details are handled. If the individual remains dissatisfied, or if the controller fails to formally acknowledge the complaint within **30 calendar days**, the individual can escalate the dispute to the ICO.

Upon receiving an escalated complaint, the ICO determines whether the controller met their statutory duties:

Did the controller provide a publicly accessible data complaints route?
Was a formal receipt sent within the 30-day window?
Did the controller investigate the dispute and keep internal records?

Core Steps of a Compliant Complaints Handling Workflow

To satisfy the ICO's standards, data controllers must structure their internal processes to support compliance:

Provide free channels: Accept data protection complaints via email, web portal, or post.
Acknowledge within 30 days: Send a formal confirmation confirming receipt, timeline, and unique complaint ID.
Maintain log registers: Keep spreadsheets or CSV logs documenting dates, officers, and final resolutions.

Regulatory Risk & Scrutiny

Failing to have a complaints process may increase regulatory risk, ICO scrutiny, and the likelihood of escalation. Under the DUAA, the regulator has authority to issue compliance orders and audit internal records.

Bespoke drafting through commercial solicitors can be expensive. The DUAA Shield complaints policy pack provides small organisations with a practical, ready-to-adapt starting point for a one-time £20 fee.

Read more about the regulator guidelines on the official site:ICO Website

Frequently Asked Questions

Is this complaints policy template ICO-compliant?

Yes. The templates are designed to support compliance with the workflow expectations of the ICO under the Data Protection Act 2018 (amended by DUAA 2025).

Can we edit the documents after generating them?

Yes. The deliverables (PDF policy, website wording, internal tracker CSV) can be modified to match your operational context.

Disclaimer: This pack is a standardised compliance-support template and does not constitute formal legal representation. Seek specialist counsel for complex corporate operations.