eDiscovery
A new statutory obligation under the Data (Use and Access) Act 2025 comes into force on 19 June 2026. Every organisation that handles personal data must have a formal internal complaints process in place. Greg Deane, eDiscovery specialist at Forensic Control, explains why this is an eDiscovery challenge as much as a compliance one, and what you need to have in place before the deadline.
By Greg Deane | eDiscovery Specialist, Forensic Control | April 2026
On 19 June 2026, a new statutory obligation comes into force. Section 103 of the Data (Use and Access) Act 2025 inserts a new Section 164A into the Data Protection Act 2018, requiring every organisation that handles personal data to operate a formal internal complaints process. Individuals must raise data protection concerns with the organisation first and receive a response before they can escalate to the Information Commission.
In my experience, most organisations will treat this as a policy exercise. Update the privacy notice, create a complaints inbox, write a procedure. That addresses the documentation requirement. It does not address the operational reality.
When a data protection complaint is properly investigated, it requires the organisation to locate, review and in some cases produce personal data. That is an eDiscovery exercise. The individual has the right to a response without undue delay, which means searching systems quickly, identifying relevant data across multiple sources, assessing what can be disclosed and what is subject to exemptions, and producing a coherent, documented response. Organisations that manage Data Subject Access Requests (DSARs) effectively will find this workflow familiar. Those that do not will find that 19 June exposes the gap.
Organisations must acknowledge receipt of a complaint within 30 days. That window starts the day after receipt, regardless of weekends or bank holidays. Missing it is a direct breach of the new statutory duty and a straightforward metric for the Information Commission to audit. An organisation that cannot demonstrate timely acknowledgement has already failed, regardless of whether the underlying data handling was lawful.
What makes this operationally complex is the breadth of what constitutes a complaint. It does not need to use legal language or arrive by email. A message via social media, a telephone conversation, or an informal written communication all trigger the same obligation. The requirement is to recognise a complaint in whatever form it arrives, route it correctly, and start the clock.
I regularly see organisations discover this gap only when a matter has already escalated. By then, the window has been missed and the breach is on record.
The Information Commissioner’s Office is transitioning to a new Information Commission board structure in 2026, with strengthened enforcement powers. Penalties for Privacy and Electronic Communications Regulations breaches, which are often the root cause of data protection complaints, have been raised to GDPR levels: up to 17.5 million pounds or 4% of global annual turnover.
A complaint mishandled at the internal stage, whether a missed acknowledgement deadline, an inadequate investigation, or a non-compliant response, can now escalate to significantly higher financial consequences than was previously the case. The 19 June deadline is not a box-ticking exercise. It is the point at which the regulator gains a clear, auditable mechanism for identifying organisations that are structurally unprepared.
The organisations best placed to meet this obligation are those with a functioning DSAR process. The underlying workflow is materially the same: identify the complaint, locate relevant data, assess exemptions, produce a response within a defined timeframe. If your DSAR process is working, extending it to cover the new complaints obligation is a manageable step.
For those starting from scratch, the priority is establishing a single intake point that can recognise a data protection complaint in any form, a defined routing and escalation path, and a named individual responsible for investigation and response. The harder question, and the one I would ask first, is whether your systems can actually be searched quickly enough to meet the timeline. That is where most organisations discover the real gap.
If your organisation has not yet audited its ability to locate and produce personal data on request, that audit is the starting point. The complaints obligation and the DSAR obligation are variations of the same underlying challenge. Getting one right makes the other manageable.
| How Forensic Control can help Forensic Control provides managed eDiscovery for organisations navigating data protection investigations, DSAR obligations and regulatory compliance. If you need to review your current process or are facing an investigation, speak to an expert or call 020 7664 4522. |
On 19 June 2026, Stage 4 of the Data (Use and Access) Act 2025 commences. Section 103 of the Act inserts a new Section 164A into the Data Protection Act 2018, requiring every organisation that handles personal data to operate a formal internal complaints process. Individuals must raise complaints with the organisation first and receive a response before they can escalate to the Information Commission.
Investigating a data protection complaint properly requires the organisation to locate, review and in some cases produce personal data across multiple systems. That is the same workflow as a DSAR: identify the relevant data, assess exemptions and privilege, and produce a documented response within a statutory timeframe. Organisations without an effective data investigation capability will struggle to meet the new complaints obligation, just as they struggle with existing DSAR obligations.
Failing to acknowledge a data protection complaint within 30 days of receipt is a direct breach of the new statutory duty under the Data (Use and Access) Act 2025. The window starts the day after receipt, regardless of weekends or bank holidays. The Information Commission can audit this directly, making it one of the most straightforward compliance failures to identify and act on.
No. A complaint does not need to use legal terminology or arrive by email. Complaints made via social media, telephone or informal written communication all trigger the same obligation. Organisations must be able to recognise a complaint in whatever form it arrives and route it through their internal process within the required timeframe.
Under the Data (Use and Access) Act 2025, penalties for Privacy and Electronic Communications Regulations breaches have been raised to GDPR levels: up to 17.5 million pounds or 4% of global annual turnover, whichever is higher. A failure at the internal complaints stage, whether a missed acknowledgement, an inadequate investigation or a non-compliant response, can escalate to formal regulatory action under this strengthened framework.
Safeguard your business with our expert cyber security solutions. Whether you require digital forensics, penetration testing or proactive security assessments, our team is ready to assist. Contact us today to discuss your security needs and take the first step towards a more secure future.
