By Carolyn Beal, Legal Compliance Consultant, Beal Cooper Compliance Ltd
It has been on the horizon for a while, but the deadline for implementing data protection complaints procedures is 19th June 2026 and it is important that firms do not simply rely on their existing client complaints procedure without amendment.
The Data (Use and Access) Act 2025 (“DUAA 2025”) requires a specific data protection complaints process.
Law firms are already required to have a complaints procedure and a process for protecting personal data, but complaints about the latter are not often specifically covered by the former.
Under the DUAA 2025, firms must:
provide a way for people to make data protection complaints
acknowledge receipt of the complaint within 30 days of receipt
without undue delay, take appropriate steps to respond to the complaint, including making appropriate enquiries and ensuring the person is kept informed
without undue delay, tell the person the outcome of their complaint
There is no set way to deal with the requirements, so law firms could consider whether to adapt their existing complaints procedure, or whether to create a separate data protection complaints procedure.
My preference is for a separate procedure rather than incorporating them. Despite having two procedures, it will be much easier to manage. Client complaints and general data protection complaints will be overseen by separate regulatory bodies, with different mandatory requirements and regulatory approaches.
Attempting to cover the different requirements in one document will likely lead to complexity and room for confusion, for example, explaining which organisation to refer to if the complainant remains dissatisfied. How will you explain in plain terms which complaints will escalate to the Legal Ombudsman, the SRA, or the ICO, then explain the process to follow for each?
Data protection complaints can come from any individual, not just clients. Potential complainants to the SRA or LeO are more limited. The references to each type of complainant will be different.
Under the DUAA 2025, firms must accept complaints about data protection no matter how they are received, including over social media for firms with a social media presence.
Firms must consider their internal resources and ability to manage processes and complaints, to protect their reputation and avoid penalties. No matter how you plan to implement the requirements, it is helpful to consider:
Will you have a designated data protection email address?
How will you manage complaints received over the phone or via social media?
Will you reference the procedure in the client care letter alongside other complaints information, or will you reference it in a privacy notice?
Who is responsible for coordinating the process?
How will you train employees to recognise a data protection complaint and refer it to the correct person?
If data protection complaints will not be managed by your COLP, are you confident an upheld complaint will be reported to them as a breach?
When you create your data protection complaints procedure, as a minimum I’d recommend that it covers:
your preferred method for receiving complaints (remember that people can use other methods)
an explanation of how you will check the identity of the complainant
details of how you will deal with complaints made on behalf of others
an explanation of how you will keep people informed of progress
compliance with other regulatory requirements, such as equality legislation
confirmation of the complainant to escalate the matter to the ICO
publication of the procedure on your website
I can help firms decide on the best way for them to comply, so please get in touch for more information.
www.bealcoopercompliance.co.uk