The UK’s data protection landscape is undergoing another change! All organisations acting as data controllers are legally required to maintain and follow a publicly accessible process for handling data protection complaints from 19 June 2026.
New data rules can feel like more paperwork, but this change is actually a helpful shift. Individuals are now required to come to your organisation first and you have a new timeframe to acknowledge queries directly. This gives your organisation the opportunity to resolve issues before they go any further.
Q2: How is this different to before?
Let’s look at a practical example:
Imagine an art gallery accidentally keeps a collector's contact details on file after being asked to delete them.
Previously, that collector could send a complaint to the Information Commissioner’s Office (ICO). The gallery might only find out weeks later when the ICO informs the gallery of the complaint.
Now, the ICO will only act if the collector has tried to resolve the issue with the gallery first. To support this, the gallery must maintain and follow a publicly accessible data protection complaints process. Once a complaint is received, the gallery has a strict 30-day window to acknowledge it, and they must then investigate and provide a full response 'without undue delay.' This ensures the collector has a clear route to raise their concerns and reach a resolution with the gallery directly.
Q3: Does it apply to my organisation?
If your organisation determines the ‘purpose’ (why) and the ‘means’ (how) of processing personal data, the data protection rules will apply.
Ask yourself: Does our organisation decide what happens to the data and why?
If you do, your organisation is a data controller. Examples include:
- Holding contact details for clients, customers, or audiences.
- Managing talent databases, CVs, or casting sheets.
- Using third-party platforms to send newsletters or promotional emails.
See the ICO’s helpful checklists to determine which category your organisation falls into.
Q4: What can my organisation do to prepare?
Build an accessible process: Provide a clear path for individuals to complain by providing an online form or a dedicated email address. However, keep in mind that even an informal email to a team member can start the process.
Update your official policies: Refresh your website’s privacy notice and your standard Data Subject Access Request (DSAR) templates to reflect these new rules. Your internal policy must clearly state that if a complaint remains unresolved, the complainant has the right to contact the ICO. You must include this information in all final responses to complainants.
Train your team: Ensure front-of-house, gallery, and administrative staff can spot an informal data grievance (like a casual request to be removed from a list) so they don't ignore it.
Keep records: Your organisation must be able to prove exactly when a complaint arrived, when you acknowledged it, and when it was fully resolved.
Q5: Where can I find further guidance?
ProArtsPlus is here to ensure you’re ready for these changes. Whether you need help drafting your complaints process or updating your privacy notices, we’re here to provide support. Check out our Data Protection Services page for more information.
For further guidance, you can visit the ICO’s website:
0 Comments