All organisations must now give people a clear way to raise a data protection complaint, acknowledge it within 30 days, investigate it properly and communicate the outcome.

The ICO said that the changes would help organisations embed good practice, with the data protection complaints guidance designed to support companies of all sizes.

The guidance sets out expectations and practical examples on complaints businesses receive, including subject access requests, inaccuracies in personal data and marketing concerns.

The implementation of the latest legal requirements now mean that all outstanding provisions of the Data (Use and Access) Act are now in force.

Emily Keaney, deputy commissioner, regulatory policy at the ICO, said: “This is about good data protection becoming business as usual. A clear and fair complaints process helps people get their issues resolved and helps organisations identify and fix problems early.

“We recognise that some businesses, especially smaller ones, may still be adjusting. Our role is to support you; provide clarity and help you build complaints handling into your day‑to‑day operations.

“Getting this right isn’t just about compliance – it’s about trust, transparency and good customer relationships.”