Best Practice Update

 A man's hand, seen from the side, reaches forward with his index finger extended, seemingly to touch a floating, transparent button with the word "COMPLAINTS" on it. Above the button, in large white text, are the words "Data Rights" and "vs General." The background is a blurry, dark office setting with faint hexagonal shapes overlaid on it. In the bottom right corner is a logo for "Data Protection Officer."

Complaints vs. Data Rights: A Guide

With the recent Data Use and Access Act, organisations must now be more precise than ever about how they handle data rights concerns; the complaints process for data rights is clarified and formalised. This article discusses best practice around which complaints process to use when you receive a complaint.

The DUAA received Royal Ascent in June 2025 and is designed to modernise and simplify the UK's data protection framework. It introduces key adjustments to how organisations manage data subject requests and digital interactions.  It formalises a direct complaints handling process, encouraging individuals to raise issues with the data controller first.

You should use the data rights complaints process when your issue is related to personal data being handled incorrectly or unlawfully - an organisation should already have tried to resolve the issue with the complainant.

When issues are not relating to data protection, the general complaints process should be used, including about how a complaint is handled.

When to use the Data Rights Complaints Process

  • Your issue is about personal data - if the organisation has mishandled personal data, for example, not giving access to it, not deleting it when asked or not keeping it secure.
  • You have already tried to resolve it - the ICO expects you to try to resolve the issue first.
  • The issue involves a breach of data protection laws

Important - data rights complaints should be reported to your DPO and added to the complaints log.

Important - remember the ICO expects you to have already tried to resolve the issue (you should also document this).

ICO Complaints Page

ICO: How to handle complaints step by step 

DPE Customers can access our Data Rights Complaints Process Template

DPE Customers should log the complaint in the complaints log which can be accessed via the Knowledge Bank Dashboard:

 A dashboard displaying four main logs and a smaller one titled "DP Complaint Log."  The main logs are:  Tickets: A grey pie chart showing 40 Closed tickets out of a Total: 40.  SAR & Data Rights Log: A pie chart with sections for Open (light blue), In progress (green), Due in 7 Days (yellow), and Overdue (red). It shows 28 Closed out of a Total: 33.  Breach Log: A pie chart with sections for Open (light blue), Last 72 hours (green), In progress (yellow), and Reported to ICO (red). It shows 15 Closed out of a Total: 20.  FOI & EIR Log: A light blue pie chart with small sections for Open, In progress, Due in 7 Days, and Overdue. It shows 4 Closed out of a Total: 6.  The highlighted log is the DP Complaint Log. Its pie chart is divided into three sections: Open (light green), DPO investigation (yellow), and ICO referral (dark green). It shows 0 Closed out of a Total: 3.

The complaints log is also included in the Data Protection Overview Report:

 A screenshot of a Data Protection Compliance Overview report interface.  At the top, there are input fields for Start Date, End Date, and a dropdown to Select a date range (currently set to "Last 12 Months"), followed by action buttons: Get Report, Report Export, Submit, Submit & Send To Admin, and Cancel.  The main body of the report displays:  Report Title: Data Protection Compliance Overview  Organisation: AAA DPE Demo School  Date Report Created: 19-11-2025  Report Date Range: 19-11-2024 - 19-11-2025  Requested By: Tammy Buchanan  The bottom section, titled Number and Status of Complaints, contains a table and a corresponding pie chart:  Existing logs open at the start of the reporting period: 0  Number Of logs closed during the period: 1  New logs created during the reporting period: 3  Total logs closed during the reporting period: 1  Average lifecycle duration initiation to resolution (days): 53  The pie chart visually represents the data with four sections:  Existing logs open at the start of the reporting period - 0 (small pink slice)  Number Of logs closed during the period - 1 (blue slice)  New logs created during the reporting period - 3 (large yellow slice)  Total logs closed during the reporting period - 1 (teal slice)

When to use the General Complaints Process

  • The complaint is not related to personal data - for example if someone wants to complain about a service they received from the organisation.
  • Someone is complaining about a specific service or situation not relating to personal data.
  • Someone needs to complain about a complaints handling process - for example if an initial complaint is mishandled.

Q: We're a small organisation do we need two processes for complaints?

The ICO says an appropriate complaints procedure may include information about how people can raise data protection complaints, how you'll handle them and how long it will take.

Ideally the processes should be separate; the DPO can help with the data rights complaints process but not an organisation's general complaints process.  

Q: What do I do if someone raises a complaint directly with the ICO about my organisation?

The ICO says if someone tells you they're raising a complaint with them, there is no need for you to tell them and they will be in touch if they need more information.  You should let your DPO know and ensure it is added to the complaints log.

Q: Will the ICO want to see my complaints log?

Yes, the ICO may ask for the log for evidence of compliance, to assess patterns of behaviour and to understand the context.

Q: What should I record in the log?

Ensure you log each complaint with dates, details, steps taken and the outcome.  You may need to cross reference other information, for example if a subject access request response is mishandled.

Search