New Legal Requirement: Formal Complaint Procedures
From 19 June 2026, all organisations operating in the UK will be legally required to have a formal data protection complaints procedure in place. This requirement comes into force under the Data (Use and Access) Act 2025, and the deadline is only days away.
What Organisations Must Implement
Your firm must provide a clear mechanism for individuals to submit data protection complaints. This can take several forms: a dedicated complaints form (electronic or paper), an email address designated for complaints, or another documented process. The key is that it must be accessible and clearly communicated to clients and staff.
Once a complaint is received, you must acknowledge it within 30 days and respond to it without undue delay. You should document the complaint, your investigation, and your response in your records.
Why This Matters for Your Business
Even though accountants are not typically data controllers in the same way that software vendors or online retailers are, your firm almost certainly holds personal data: client contact information, employee records, and sensitive financial information. If a client or employee submits a data protection complaint, you must now have a formal process to handle it.
The ICO is consulting on updated enforcement guidance, signalling that data protection enforcement is a priority. Having compliant procedures in place protects your firm from potential regulatory action and demonstrates good governance to clients and regulators.
If you have not yet established a formal complaints procedure, do so immediately. If you already have one, review it to ensure it meets the statutory timeline requirements (30-day acknowledgement, response without undue delay).