New legal requirements on how businesses and organisations handle data protection issues have today come into force.
From Tuesday, organisations operating in the UK are required to give people a clear way to raise a data protection complaint, acknowledge it within 30 days, investigate it appropriately and communicate the outcome.
According to the UK data regulator, the Information Commissioner’s Office (ICO), the new rules exist to encourage businesses to embed good practices, rather than trying to catch out bad behaviour.
“This is about good data protection becoming business as usual. A clear and fair complaints process helps people get their issues resolved and helps organisations identify and fix problems early,” said Emily Keaney, deputy commissioner of regulatory policy at the ICO.
“We recognise that some businesses, especially smaller ones, may still be adjusting. Our role is to support you; provide clarity and help you build complaints handling into your day‑to‑day operations.
“Getting this right isn’t just about compliance – it’s about trust, transparency and good customer relationships.”
The enforcement comes days after the 12-month commencement of the Data (Use and Access) Act.
The ICO has encouraged businesses to use the guidance and resources it offers to review and refine their data protection complaints processes.
