top of page
Search

New ICO Complaints Process Requirements: What Financial Firms Need to Do Before 19 June 2026


Financial firms already operate in a complaints-heavy environment, but the new ICO requirements on data protection complaints mean many existing arrangements now need to be reviewed. From 19 June 2026, organisations must have a process for handling data protection complaints under changes introduced by the Data (Use and Access) Act 2025 (DUAA). The ICO published guidance on 12 February 2026 to help organisations prepare, and it is clear that these requirements are intended to be operational, not theoretical. 

For financial firms, the implementation challenge is not simply whether there is a generic complaints process somewhere in the business. The key questions are more specific: which SMF is responsible, whether current complaints arrangements actually meet the new requirements, and how the process should work in practice across compliance, operations, customer functions, legal and data protection teams. That is where firms need to move quickly.


What DUAA changes

DUAA inserts a new complaint-handling framework into the Data Protection Act 2018. In practical terms, a data subject may complain to the controller if they believe the organisation has infringed data protection law in relation to their personal data. The controller must facilitate the making of complaints, acknowledge them within 30 days, take appropriate steps to respond without undue delay, keep the complainant informed about progress, and notify them of the outcome without undue delay. The relevant provisions come into force on 19 June 2026, and the ICO has been explicit that organisations should be preparing now. 

The ICO also makes clear that there are no exemptions from the requirement to have a complaints process. Firms can build this into an existing framework rather than create a separate standalone process, but there must be a process that is accessible, understood, and capable of delivering the required steps. 


Why this matters for financial firms

Many financial firms may initially assume that their existing DISP arrangements are enough. In some cases, those arrangements will provide a useful foundation. DISP already requires firms to put in place and operate effective and transparent procedures for the reasonable and prompt handling of complaints, and to allow complaints to be made by reasonable means. 

But the new ICO requirements do not map perfectly onto a standard FCA customer complaint model. A data protection complaint can come from a customer, employee, applicant, beneficiary or other data subject. It may arise through a SAR, a privacy query, a marketing opt-out issue, a retention challenge, a breach concern, or a complaint made through social media or another non-traditional channel. The complainant does not need to use legal language for it to count. 

That means firms need to test whether current arrangements really capture privacy complaints consistently across the organisation, rather than assuming the issue is covered because a general complaints policy exists.


Which SMF should own this?

This is likely to be the most important governance question for regulated firms.

DUAA and the ICO guidance do not prescribe a named SMF. The ICO’s position is that organisations should decide internally who is best placed to handle data protection complaints. For financial firms, that makes this a governance and accountability decision that should be reflected in the firm’s operating model and, where relevant, its Statements of Responsibilities and oversight structure. 

Under the FCA framework, firms must have robust governance arrangements with clear, transparent and consistent lines of responsibility. FCA-prescribed responsibilities must be allocated so it is clear who holds them, and the regulator generally expects responsibilities not to be fragmented unnecessarily across multiple SMFs. 

So the right question is not whether there is a default “DUAA SMF”. The right question is: which SMF already owns the framework that should control this risk? Depending on the firm, that may sit most naturally with compliance oversight, operations, customer functions, conduct governance or broader data governance. What matters is that the allocation is deliberate, documented, and aligned to how the process actually works in practice.


Are current arrangements good enough?

Firms should now be carrying out a practical gap analysis against the ICO guidance.

That review should test whether the firm has a clear route for data protection complaints, whether staff can identify them across all relevant channels, whether acknowledgements and outcomes can be issued within the required timeframes, and whether the process allows the firm to keep complainants updated without delay. Firms should also check whether the current process distinguishes clearly between a service complaint, a rights request, a breach notification, and a data protection complaint, while still recognising that one issue may overlap with another. 

The review should also include record keeping. The ICO expects organisations to retain evidence of the complaint, acknowledgment, investigation steps, outcome and any actions taken. For financial firms, that should sit within existing governance and MI structures so that recurring themes, control weaknesses and remediation actions can be identified and escalated appropriately. 




Conflict considerations

Financial firms should also consider whether current arrangements create a conflict.

A data protection complaint may relate to the same business area that collected the data, refused a rights request, handled a customer interaction, or managed an outsourced provider. If that same area is also responsible for triage, investigation and sign-off, the firm should ask whether the process contains enough independence and challenge. FCA rules require firms within scope to establish, implement and maintain an effective written conflicts of interest policy. Even where SYSC 10 does not apply in the same way to every firm type, the broader governance principle still matters: the process must be defensible, not self-serving. 


What firms should do now

Before 19 June 2026, financial firms should make sure they have:

1. Allocated ownership

Decided which SMF has end-to-end accountability for the framework, including oversight, escalation, management information and remediation. 



2. Reviewed the process

Tested whether current complaints arrangements meet the ICO’s new requirements for data protection complaints, rather than assuming existing DISP processes are enough. 


3. Checked intake channels

Confirmed that complaints can be identified and routed correctly whether they arrive by email, webform, customer services, HR, compliance, SAR teams or social media. 


4. Assessed conflicts

Reviewed whether investigation and sign-off arrangements provide sufficient independence and challenge. 


5. Updated training and desk-level guidance

Ensured that front-line and control staff know what a data protection complaint looks like, when the clock starts, and where the issue must be escalated. 


Final thought

For financial firms, this is not just a privacy update. It is a governance, SMF and implementation issue. Firms should now be asking who owns the framework, whether current arrangements meet the new ICO requirements, and how those changes will be embedded across the business before 19 June 2026. Firms that leave this too late risk discovering that their complaints process works on paper, but not in practice. 


CTA: RegZone.io training solutions and free desk aid

Need support turning the new ICO requirements into something practical?

RegZone.io provides targeted training solutions to help firms understand the DUAA changes, identify the right SMF ownership model, and train staff on how to recognise and handle data protection complaints in line with the new ICO expectations.

You can also request our free desk aid, designed to help teams quickly identify:

  • what counts as a data protection complaint,

  • where it should be routed,

  • what the timeframes are,

  • and which governance and conflict points need to be considered.

Contact RR Compliance to access the RegZone.io training solution and request your free DUAA data protection complaints desk aid.




Comments

APCC-Logo-News-Page-min_edited.png

RR Compliance Associates is member of the Association of Professional Compliance Consultants. Contact us today by calling +44 (0) 203 488 4322 or emailing contact@rrcompliance.com

© 2026 ​RR Compliance Associates. All rights reserved.

 

About RR Compliance Associates    |    Terms of use    |    Privacy    |    Career   |   Cookie Policy

RR Compliance Associates are a trading style of R&R Compliance Consultants Ltd, a limited company registered in England and Wales (company number 12070286). Our registered office is 51 Lime Street, London, EC3M 7DQ. 

bottom of page