The Information Commissioner’s Office (ICO) has issued new guidance on how organisations should handle data protection requests, including data protection complaints, as part of preparations for major reforms coming into force under the Data (Use and Access) Act 2025 (DUAA).
The guidance was published on 12 February 2026 and is intended to help organisations meet new statutory duties before they become legally binding in June. The guidance sets out, for the first time, a mandatory requirement for organisations to have a formal process for handling data protection complaints. The ICO emphasises that “there are no exemptions to this”, and that all organisations - public, private and third sector - must be able to demonstrate a clear, accessible and timely complaints pathway.
Although the new duty does not take effect until 19 June 2026, the ICO says early publication is intended to give organisations time to prepare and embed compliant processes. The regulator also stresses that the standards set out represent good practice even before the law changes.
The guidance forms part of a broader package of updates linked to the DUAA, which introduces new investigatory powers for the ICO and amends the UK GDPR and Data Protection Act 2018. These include enhanced enforcement tools, the ability to compel witnesses, and strengthened obligations around transparency and accountability.
The DUAA also introduces reforms to Data Subject Access Requests (DSARs), including clearer timelines and a more structured approach to extensions—changes that employers and public authorities are being urged to prepare for.
The ICO’s new guidance provides practical steps for organisations, including:
- establishing a dedicated complaints handling process
- ensuring staff understand how to identify and escalate data protection concerns
- providing clear information to individuals about how to complain
- responding promptly and proportionately
- documenting decisions and outcomes to demonstrate compliance
The regulator says the aim is to improve user experience, reduce unnecessary escalation to the ICO, and ensure organisations resolve issues at the earliest opportunity.
The guidance marks a significant shift in the ICO’s expectations of organisations’ internal governance. Analysts have highlighted that the new statutory complaints duty mirrors existing requirements in regulated sectors such as financial services, signalling a more formalised approach to data protection accountability.
