Best Practice Update

    You are here:  
  1. Home
  2. Best Practice Update
  3. Complaints vs. Data Rights: A Guide
A man's hand, seen from the side, reaches forward with his index finger extended, seemingly to touch a floating, transparent button with the word "COMPLAINTS" on it. Above the button, in large white text, are the words "Data Rights" and "vs General." The background is a blurry, dark office setting with faint hexagonal shapes overlaid on it. In the bottom right corner is a logo for "Data Protection Officer."
Best Practice Updates

Complaints vs. Data Rights: A Guide

With the recent Data Use and Access Act, organisations must now be more precise than ever about how they handle data rights concerns; the complaints process for data rights is clarified and formalised. This article discusses best practice around which complaints process to use when you receive a complaint.

The DUAA received Royal Ascent in June 2025 and is designed to modernise and simplify the UK's data protection framework. It introduces key adjustments to how organisations manage data subject requests and digital interactions.  It formalises a direct complaints handling process, encouraging individuals to raise issues with the data controller first.

You should use the data rights complaints process when your issue is related to personal data being handled incorrectly or unlawfully - an organisation should already have tried to resolve the issue with the complainant.

When issues are not relating to data protection, the general complaints process should be used, including about how a complaint is handled.

When to use the Data Rights Complaints Process

  • Your issue is about personal data - if the organisation has mishandled personal data, for example, not giving access to it, not deleting it when asked or not keeping it secure.
  • You have already tried to resolve it - the ICO expects you to try to resolve the issue first.
  • The issue involves a breach of data protection laws

Important - data rights complaints should be reported to your DPO and added to the complaints log.

Important - remember the ICO expects you to have already tried to resolve the issue (you should also document this).

ICO Complaints Page

ICO: How to handle complaints step by step 

DPE Customers can access our Data Rights Complaints Process Template

When to use the General Complaints Process

  • The complaint is not related to personal data - for example if someone wants to complain about a service they received from the organisation.
  • Someone is complaining about a specific service or situation not relating to personal data.
  • Someone needs to complain about a complaints handling process - for example if an initial complaint is mishandled.

Q: We're a small organisation do we need two processes for complaints?

The ICO says an appropriate complaints procedure may include information about how people can raise data protection complaints, how you'll handle them and how long it will take.

Ideally the processes should be separate; the DPO can help with the data rights complaints process but not an organisation's general complaints process.  

Q: What do I do if someone raises a complaint directly with the ICO about my organisation?

The ICO says if someone tells you they're raising a complaint with them, there is no need for you to tell them and they will be in touch if they need more information.  You should let your DPO know and ensure it is added to the complaints log.

Q: Will the ICO want to see my complaints log?

Yes, the ICO may ask for the log for evidence of compliance, to assess patterns of behaviour and to understand the context.

Q: What should I record in the log?

Ensure you log each complaint with dates, details, steps taken and the outcome.  You may need to cross reference other information, for example if a subject access request response is mishandled.

©2025 Data Protection Education Ltd.

Search