# The ICO’s New Data Protection Complaints Guidance: What It Means for DSAR Disputes and Privacy Operations

Canonical URL: https://xpertdpo.com/ico-data-protection-complaints-dsar-disputes/

Content type: Article

Published: 2026-05-29T10:59:08+01:00

Updated: 2026-05-29T12:01:29+01:00

Author: Philipa Jane Farley, Head of Legal and Operations

Summary: The ICO's complaints guidance gives privacy teams a timely opportunity to strengthen DSAR dispute handling, evidence review decisions, and reduce avoidable escalation.

## Article

The ICO has published [guidance on how organisations should deal with data protection complaints](https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/). The guidance supports new requirements introduced by the [Data (Use and Access) Act 2025](https://www.gov.uk/guidance/data-use-and-access-act-2025-data-protection-and-privacy-changes). Those requirements are not due to come into force until 19 June 2026, but the ICO has made clear that the approach set out in the guidance is already good practice.

 For privacy operations teams, compliance officers and DPOs, the guidance is worth reading as more than a new administrative requirement. It gives organisations a clearer structure for receiving, acknowledging, investigating and resolving data protection complaints before matters escalate unnecessarily.

 That will be especially important for disputes arising from [subject access requests](https://xpertdpo.com/data-subject-access-request-dsar-support/), often referred to as SARs or DSARs. A complaint about a DSAR response is rarely just about the final bundle of documents. It is usually about the decisions behind that response: what was searched, what was included, what was withheld, what was redacted, and how clearly those decisions were explained.

 The new complaints process creates an opportunity to review those decisions in a more structured way.

> The real test is not whether a complaints route exists. It is whether the organisation can evidence how the challenged decision was reached.

### What the guidance is for

 The guidance explains what organisations need to do to have a data protection complaints process. It applies where a person considers that an organisation has infringed data protection legislation in relation to their personal information, or the personal information of someone they are authorised to act for.

 The complaint does not need to arrive in legal language. It may be framed as a concern about a DSAR response, the accuracy of personal data, retention, security, transparency, use of personal data, or the way an organisation handled a previous request.

 This matters operationally because complaints may arrive through many routes. A person might contact a privacy inbox, customer service team, HR team, complaints department, call centre, social media account, branch, relationship manager or named employee. The organisation’s preferred route is not the only route that matters.

 The first practical requirement is therefore recognition. Staff need to know when a complaint includes a data protection issue, even if it is mixed with a service, employment, contractual or customer-care concern.

### The core process

 The ICO summarises the new requirements in practical terms. Organisations must:

- give people a way to make data protection complaints;
- acknowledge receipt within 30 days;
- take appropriate steps to respond without undue delay, including making appropriate enquiries and keeping the person informed; and
- tell the person the outcome without undue delay.

 The [30-day acknowledgement period](https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/what-do-we-do-when-we-receive-a-complaint/) starts the day after the complaint is received. Importantly, the duty to investigate does not wait until that acknowledgement period has expired. The organisation should begin considering the complaint when it receives it.

 In practice, an effective process needs to answer a few basic questions.

- How can people complain about data protection issues?
- How will staff recognise and route those complaints?
- Who owns the investigation?
- What evidence needs to be reviewed?
- How will the organisation keep the person informed?
- What will the outcome response say?
- How will themes and repeated issues be reported back into privacy governance?

 The ICO does not require every organisation to create a separate complaints platform. Existing complaint-handling arrangements may be adapted, provided they meet the data protection requirements. The key question is whether the process works in practice and whether the organisation can evidence what it did.

### What investigation should look like

 The ICO expects organisations to [make appropriate enquiries](https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/what-do-we-do-when-we-receive-a-complaint/). That means looking at the relevant facts, speaking to relevant staff where needed, comparing the complaint with information held by the organisation, and checking whether internal policies and standards were followed.

 The right level of enquiry will depend on the complaint. Some complaints can be resolved quickly with clarification or a corrected explanation. Others, including more complex DSAR disputes, may require a fuller review of search scope, exemptions, redaction reasoning, third-party data decisions, response letters and approval records.

 The organisation should also keep the person informed. In many cases, this will mean giving realistic timeframes, explaining delays, and providing a point of contact. For privacy teams, this is not only about regulatory compliance. It is also about maintaining trust while the issue is being reviewed.

 At the end of the investigation, the organisation should [provide an outcome](https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/what-do-we-do-after-we-ve-finished-our-investigation/). A useful outcome response should identify what was reviewed, explain the conclusion, and set out any action taken. Where a complaint raises several points, a point-by-point response will often be easier for the person to understand and easier for the organisation to defend if the matter later goes to the ICO.

### Why DSAR complaints need a different level of evidence

 DSAR complaints are a natural test case for the new process.

 A DSAR response is the result of a chain of decisions. The organisation may have had to identify relevant systems, define search parameters, review records, apply exemptions, redact third-party data, prepare a disclosure schedule, draft supplementary information, and approve the final response.

> A DSAR complaint is often an evidence problem before it is a legal argument.

 If the requester later complains, the organisation needs to be able to reconstruct that chain. It should be able to see what was sent, when it was sent, who approved it, what rationale supported any redactions or withholding, and whether the response explained the position clearly enough.

 That evidence trail is not only useful for defending the original response. It also supports a more balanced reconsideration. A complaint review may conclude that the original response was sound. It may also conclude that further disclosure, a clearer explanation, a correction, an apology or a process improvement is appropriate. This is closely linked to the broader question of privacy accountability evidence.

 That is the value of handling the complaint as a review process rather than as a defensive correspondence exercise.

### AI-assisted DSARs and complaints

 The guidance also lands at a time when DSARs and follow-up complaints are increasingly likely to be supported by AI tools, online templates or automated drafting. That does not make them invalid. People are entitled to help when exercising their rights.

 However, AI-assisted requests and complaints can change the workload for privacy teams. They may be broad, polished, legalistic or repetitive. They may challenge redactions or search scope in general terms without clearly identifying the specific concern. The same evidence discipline that matters for [AI governance and DPIA lifecycle support](https://xpertdpo.com/ai-governance-dpia-lifecycle-support/) is relevant here: the organisation needs to understand the real use case, the real risk and the real decision being challenged.

 The appropriate response is not to discount the complaint because it appears templated, nor to treat every broad challenge as equally well-founded. The appropriate response is disciplined triage.

 Privacy teams should ask:

- what decision is actually being challenged;
- whether the complaint identifies a real data protection issue;
- what evidence supports the organisation’s original position;
- whether the response could have been explained more clearly; and
- whether a practical resolution is available.

 In that sense, the ICO’s complaints process can help organisations manage AI-assisted DSAR disputes fairly. It gives the team a route to narrow the issue, review the evidence, and respond to the substance of the concern rather than the volume or style of the wording.

### What senior privacy teams should do now

 The period before 19 June 2026 is useful preparation time. Organisations should not wait until the requirements are in force before checking whether their complaint-handling arrangements will work.

 For senior privacy operations teams, compliance officers and DPOs, the practical review should include:

- mapping all likely intake routes for data protection complaints;
- training front-line and specialist teams to recognise data protection issues;
- defining ownership between privacy, legal, HR, customer services and complaints teams;
- connecting complaints to the original rights request, incident, DPIA, policy issue or processing activity;
- setting acknowledgement and update expectations;
- recording enquiries, outcomes and actions taken; and
- reviewing complaint themes as part of privacy assurance.

 For DSARs, the most important improvement is often evidence linkage. A complaint should be linked back to the original request, search evidence, decision records, disclosure schedule, response letter, redaction rationale, issue record and approval history. For teams under sustained rights-handling pressure, this is often where [specialist DPO support](https://xpertdpo.com/dpo-support/) becomes useful.

 Without that linkage, the complaint handler may be left trying to reconstruct the original response from emails, local folders and memory. That is rarely a strong position.

### Where Darrex fits

 At XpertDPO, this guidance reflects a challenge our senior team already sees in practice. Data protection complaints are not only correspondence exercises. They test whether the organisation can find the operational truth behind a decision: what happened, what was reviewed, why a position was taken, and whether that position remains defensible.

 That is one of the reasons we have been adapting Darrex, our privacy operations support surface, to reflect the way complaint handling and DSAR review are evolving. Darrex is designed to help privacy teams keep the operational record, reasoning trail and review posture together, rather than separating them across inboxes, spreadsheets, local files and case notes.

 For DSAR complaints, this is particularly important. If the complaint challenges an issued DSAR response, the reviewer should not have to reconstruct the matter from memory or disconnected documents. The complaint should be linked to the response-of-record: the issued pack, response letter, disclosure schedule, redaction rationale, approval history, issue record and audit trail.

 The DSAR workbench output is designed to support the kind of evidence an organisation is likely to need if the matter later reaches the ICO. It can show what was searched, what was found, what was disclosed, what was redacted or withheld, who reviewed the position, what rationale was recorded, and what was actually issued to the requester. That evidence also supports wider [board, legal and privacy assurance](https://xpertdpo.com/board-legal-privacy-assurance/) where senior stakeholders need confidence that the organisation can explain its handling record.

 That does not guarantee the ICO will agree with the organisation’s decision. Nor does it replace DPO judgement or legal review. Its value is more practical and, in many ways, more important: it helps surface the truth of the handling record. If the original response was sound, the evidence should be easier to explain. If there was a gap, the organisation should be able to identify it earlier and respond more appropriately.

> Darrex does not replace judgement. It helps preserve the record that judgement needs.

 For organisations handling increasing volumes of DSARs and DSAR-related complaints, that distinction is important. The value is not simply case management. The value is being able to preserve the original response, open a complaint review, and make a documented decision without losing the history of what happened.

### Our view

 The ICO’s guidance is a sensible development. It gives organisations a clearer opportunity to resolve data protection complaints directly and constructively, while also improving the evidence base where escalation does occur. Where an issue does move into regulator correspondence, the same handling record becomes relevant to [regulator response support](https://xpertdpo.com/regulator-response-support/).

 For DSAR disputes, this could be particularly useful. Many DSAR complaints are not only about legal disagreement. They are about intelligibility, confidence and trust. The requester wants to understand what was searched, what was withheld, why something was redacted, or why the organisation believes its response was complete.

 A well-run complaints process will not prevent every ICO complaint. Nor should it be used to deter people from exercising their rights. But it can help organisations respond more fairly, identify genuine weaknesses, correct avoidable defects and explain defensible decisions more clearly.

 The risk is that organisations treat the process as a policy update only. A complaints route and an acknowledgement template will not be enough if the team cannot find the underlying evidence or explain the original decision. That is why complaint handling should also be considered alongside [audit readiness and evidence resilience](https://xpertdpo.com/from-privacy-metrics-to-audit-resilience/).

 The better approach is to treat data protection complaints as part of privacy operations and accountability. They should sit close to DSAR handling, DPO review, incident learning, DPIA governance and assurance reporting.

 Done well, the new process should help organisations move complaints back into a managed, evidence-based conversation before they become more formal, more adversarial and harder to resolve.

 If your organisation is reviewing how it handles DSAR complaints, redaction challenges or ICO escalation risk, XpertDPO can support the review through [DSAR support](https://xpertdpo.com/data-subject-access-request-dsar-support/), [DPO support for in-house privacy teams](https://xpertdpo.com/dpo-support/) and [regulator response support](https://xpertdpo.com/regulator-response-support/).

### Sources

- ICO, [How to deal with data protection complaints](https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/)
- ICO, [What do we do when we receive a complaint?](https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/what-do-we-do-when-we-receive-a-complaint/)
- ICO, [What do we do after we’ve finished our investigation?](https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/what-do-we-do-after-we-ve-finished-our-investigation/)
- GOV.UK, [Data (Use and Access) Act 2025: data protection and privacy changes](https://www.gov.uk/guidance/data-use-and-access-act-2025-data-protection-and-privacy-changes)

 ![Laptop dashboard and documents supporting data protection complaint evidence review](https://xpertdpo.com/wp-content/uploads/2026/05/xpertdpo-ico-data-protection-complaints-featured.jpg)

## General Information Only

This article is provided for general information and does not constitute legal, regulatory, or professional advice. Data protection obligations depend on the specific facts, context, and jurisdiction involved. You should not rely on this content as a substitute for advice tailored to your organisation.

If you would like support with a specific issue, please contact us: https://xpertdpo.com/contact/