Clifford Chance

The UK Information Commissioner's Office (ICO) has several draft guidance documents open for consultation in September 2025. We've written a series of short overviews of some of this draft guidance – our overview page can be used to navigate to other summaries: Draft ICO guidance and consultations: September update.

Some of this guidance, alongside other guidance that is anticipated in the ICO's pipeline, will form an important part of understanding how to apply the Data Use and Access Act 2025 (DUA Act). (See also our briefing: UK Data Reform: What you need to know about the Data (Use and Access) Act.)

This article relates to draft Complaints Guidance for Organisations. The consultation on this draft guidance closes on 19 October 2025 and responses can be submitted here.

Overview

The ICO's draft Complaints Guidance for Organisations is intended to help organisations handle data protection complaints effectively and in compliance with a new right for data subjects to complain directly to controllers in relation to an infringement of the UK GDPR. This right is introduced by the DUA Act through amendments to the Data Protection Act 2018. The new right will require controllers to take certain steps to facilitate the making of complaints by data subjects.

The draft guidance highlights the following legislative requirements:

• giving people a way of making data protection complaints to the controller;
• acknowledging receipt of complaints within 30 days of receiving them;
• without undue delay, taking appropriate steps to respond to complaints, including making appropriate enquiries, and keeping complainants informed (and making arrangements for continued complaints handling during staff absences); and
• informing complainants of the outcome of their complaints without undue delay.

The guidance also notes that controllers must be able to justify why they handled a complaint in a particular way.

The draft guidance also makes a number of good practice recommendations, including:

• developing a written complaints procedure and publishing it online or making it easily accessible at the earliest opportunity, using plain language to explain the process and timelines;
• providing a complaint form that individuals can submit electronically or in writing and/or allowing individuals to make a complaint over the phone, via live chat or via an online portal;
• if a controller receives complaints from or on behalf of children, using plain, clear language that children can understand;
• training staff to recognise and handle data protection complaints appropriately;
• keeping records of actions taken in connection with complaints, including verbal complaints and ensuring record-keeping systems are organised and up to date to support investigations;
• developing a system for asking for supporting information or evidence from complainants at the earliest opportunity (with the draft guidance stating that controllers must be reasonable and proportionate in what they ask for, and must check whether third parties are authorised to act on a complainant's behalf);
• if complainants are unhappy with the outcome, letting them know how they have the right to complain to the ICO (which is required in transparency notices in any case) and providing the ICO's contact details; 
• reviewing lessons learned from complaints investigations.

Key takeaways

Organisations that are subject to UK data protection law should:

• Anticipate an increase in the number of complaints they receive from data subjects.
• Review complaints handling processes and the information they make available regarding these.
• Monitor the DUA Act commencement regulations as they are made, to understand when the right to complain directly to a controller will become applicable.
• Consider whether to respond to the consultation (which closes on 19 October 2025).
• Monitor the ICO website for the final guidelines. The ICO has indicated that they aim to make these available by June 2026.