0330 055 2678 | Client Portal |

0330 055 2678 | Client Portal |

19 June Data Protection Deadline: Can You Prove Your Complaints Process Works?

From 19 June 2026, organisations across the UK will be legally required to handle data protection complaints under the Data (Use and Access) Act 2025. The ICO has confirmed that businesses need a data protection complaints process in place by that date, including a clear route for people to complain, acknowledgement within 30 days, investigation without undue delay, progress updates and a final outcome (Information Commissioner’s Office, 2026a). 

For many organisations, the obvious response will be to update a policy, add a complaints route to the website, brief staff and make sure someone owns the process. Those steps matter, but they are only the visible part of the requirement. Many organisations already deal with data protection concerns informally. The change from 19 June is that informal handling needs to become visible, consistent and defensible. 

The harder question is whether the process will actually work when someone challenges how their personal data has been handled. Can you find the right information? Can you show who reviewed it? Can you evidence what was checked, what was decided and what was communicated back? 

That is where the 19 June deadline becomes more than a compliance update. It becomes a test of whether your organisation can handle data protection issues in a controlled, consistent and evidenced way. 


What is changing on 19 June? 

The ICO guidance says organisations must have a process for handling data protection complaints, and that there are no exemptions. The core requirements are straightforward: give people a way to complain, acknowledge receipt within 30 days, respond without undue delay, make appropriate enquiries, keep people informed and tell them the outcome (Information Commissioner’s Office, 2026b). 

The important point is that a data protection complaint does not need to arrive wrapped in legal language. The ICO says people may complain about how an organisation responded to a Subject Access Request, the security measures used to store their information, or how personal information has been collected, used, stored, retained or kept accurate (Information Commissioner’s Office, 2026c). 

That matters because complaints rarely stay neatly within one department. A complaint about marketing may involve CRM records, consent, suppression lists and communication history. A complaint about inaccurate employee data may involve HR systems, emails, manager notes and documents. A complaint about a SAR response may require the organisation to prove where it searched, what it found, what it withheld and why. 


A complaints route is not the same as a working process 

Publishing an email address or complaints form is useful, but it does not solve the harder operational problem. The process is what happens after the complaint lands. 

In practice, complaints may come through a customer service inbox, a manager, HR, social media, phone, live chat or another part of the business. The ICO guidance says people can complain in any way they choose, including through other channels or by contacting any employee or part of the organisation. However a complaint is received, the organisation must accept it (Information Commissioner’s Office, 2026d). 

That is where many organisations will feel the pressure. It is one thing to receive a complaint. It is another to route it properly, identify what it relates to, gather the right information, involve the right people, keep the individual updated and evidence the outcome. 

The organisations that cope best will not be the ones with the most polished privacy notice. They will be the ones that can show what happened, who handled it, what was checked and how the outcome was reached. 


SARs show the problem clearly 

Subject Access Requests are one of the clearest examples of why this matters. A SAR can sound simple from the outside: someone asks for the personal data an organisation holds about them. Internally, the response can involve HR, legal, IT, operations, customer service and managers across the business. 

The data rarely lives in one place. It can sit across HR systems, email, Teams, SharePoint, shared folders, CRM records, customer files, manager notes, leaver records, old exports and historic documents. The difficult questions are usually practical: have we found everything, have we included the right information, have we removed what should not be shared, and can we evidence the process if challenged? 

That is where SARs become painful. Not just because they take time, but because manual searches create uncertainty. If the SAR itself later becomes the subject of a data protection complaint, that uncertainty becomes harder to defend. 


Manual searches were not built for this 

Many organisations still handle SARs and data protection complaints through email chains, spreadsheets, manual searches and individual knowledge. That might work when requests are rare and simple. It becomes much more fragile when the organisation is people-heavy, regulated, customer-facing or dealing with frequent starters, leavers, grievances, disputes or high volumes of customer interaction. 

This is especially relevant for sectors such as healthcare, care, education, recruitment, hospitality, retail, professional services, financial services and other high-touch or regulated environments. The ICO has also highlighted healthcare, financial services, technology and retail as sectors where data protection complaints are most common (Information Commissioner’s Office, 2026a). 

For these organisations, a SAR or data protection complaint can quickly become a search across half the business. HR is pulled into people records. Managers are asked to check inboxes. Legal wants confidence. IT may need to support discovery. Compliance needs an audit trail. The issue is not just effort; it is consistency and defensibility. 

Different people search in different ways, using different assumptions, under different levels of time pressure. If challenged later, the organisation needs to show what it did, not just say it acted carefully. 


Accuracy matters as much as speed 

The risk with manual SAR handling is not only that it takes too long. It is that the search depends on people knowing where to look, remembering what exists and manually checking systems that were not designed around SAR response. 

That creates blind spots. Relevant information may sit inside Teams conversations, SharePoint files, email attachments, scanned documents, images, archived folders, metadata or partially indexed items. A person searching manually may miss information simply because it is not obvious, not searchable in the usual way, or not stored where they expected it to be. 

This is where a controlled Microsoft 365 workflow can improve more than efficiency. Microsoft Purview eDiscovery can support review sets, case management, metadata review, conversation threading, OCR, filtering, tagging and export, helping organisations search, review and evidence information in a more consistent way. Microsoft also notes that when search results are added to a review set, items are reindexed so they can be searched more thoroughly during review, and OCR can extract text from images added to the review set (Microsoft, 2026a; Microsoft, 2026c). 

That matters because the question in a SAR is rarely just “how quickly can we respond?” It is “can we show that we searched properly, reviewed carefully and made defensible decisions?” 


The evidence trail is where the risk sits 

The ICO says organisations should keep records of key complaint handling steps, including the date the complaint was received, the acknowledgement, relevant conversations and documents, the outcome, and any actions taken as a result of the investigation. The guidance also notes that these records provide evidence of what has been done and may be requested by the ICO or industry bodies if a complaint is made in future (Information Commissioner’s Office, 2026e). 

That is the part organisations need to look at closely. Can you show when the complaint came in? Can you show who reviewed it? Can you show which systems or records were checked? Can you show what decisions were made and why? Can you show what outcome was communicated? 

From the work we see with customers, the same gaps appear regularly: no documented data protection complaints process, unclear ownership, limited staff awareness, tracking that sits in inboxes or spreadsheets, inconsistent response times, and incomplete evidence of what was checked or decided. 

These gaps are manageable, but they become more visible once a legal requirement is in force and a complaint needs to be evidenced properly. 


What better looks like 

A better approach does not remove human judgement. SARs and data protection complaints still need care. Someone still needs to decide what is relevant, what should be redacted, what should be withheld, what should be corrected and how the response should be framed. But the search and evidence process should not depend on a search party. 

For organisations already using Microsoft 365, there is often an opportunity to build a more controlled workflow across the environment people already use every day. That means moving away from ad hoc inbox searches, spreadsheet tracking and manual chasing, and towards a process that can search more consistently, preserve context, support review and create a clearer evidence trail. 

This is especially important where relevant data may sit across Exchange, Teams, SharePoint, OneDrive, shared folders, attachments, historic files, manager notes, customer records or leaver records. Microsoft Purview eDiscovery can help identify, review and manage content across Microsoft 365 services, including Exchange Online, Teams, OneDrive, SharePoint, Microsoft 365 Groups and Viva Engage. It also supports review sets, OCR, conversation threading, filtering, tagging and analytics (Microsoft, 2026a). 

There are important technical nuances. For example, Microsoft explains that OCR in eDiscovery extracts text from images when content is added to a review set, making that extracted text searchable within the review set. It does not mean every image is automatically searchable during the initial search phase. That is why workflow design matters as much as the technology itself (Microsoft, 2026c). 

The value comes from designing the process around the real operational pressure: who receives the complaint, who owns it, where the data sits, how the search is evidenced, how review decisions are recorded and how the organisation responds with confidence. 


What we are seeing with customers 

At Assured Digital, we have already been helping customers move SAR handling away from manual chasing and towards a more controlled, searchable and evidenced workflow across their existing Microsoft 365 environment. 

In recent customer work, we have helped reduce time spent compared with a manual process by 60%+, with dozens to hundreds of hours saved depending on request volume, request complexity and where the data sits. 

That caveat matters. Not every SAR is the same. A request involving a long-serving, highly visible employee will usually be more complex than one involving someone in a smaller role or with a shorter history. The point is not that every request becomes instant. The point is that the manual search can be reduced, structured and evidenced far more effectively. 

The bigger benefit is confidence. Less reliance on managers manually searching inboxes. Less uncertainty about whether the right systems have been checked. Less pressure on HR and legal teams when the clock is ticking. A clearer evidence trail if the process is challenged. A more consistent way to search, review and respond. 

For regulated and people-heavy organisations, this is where the real value sits. Not just faster SAR handling, but a more defensible way to manage data rights, complaints and personal data workflows. 


Five practical steps to take before 19 June 

With the deadline approaching, organisations should focus on making the process workable, not just documented. A policy is only useful if it translates into action when a real complaint lands. 

  1. Define the process clearly
    Make sure data protection complaints are recognised as a specific category, not buried inside general complaints handling. The process should be simple enough for staff to follow and clear enough to evidence later. 
  2. Assign ownership
    Decide who is responsible for logging, acknowledging, investigating, updating and closing complaints. Without clear ownership, complaints can sit in inboxes, move between teams, or become dependent on whoever happens to receive them first. 
  3. Build the evidence trail
    Track when the complaint was received, when it was acknowledged, who reviewed it, what information was checked, what decisions were made, what updates were sent and what outcome was recorded. This is the part that matters if the process is challenged later. 
  4. Train the teams who may receive complaints
    A data protection complaint may not arrive through the “right” channel. HR, customer service, managers, frontline teams, legal, IT and operations all need to know what a data protection complaint can look like and where to route it. 
  5. Update privacy and customer-facing materials
    Make it easy for people to understand how they can raise a complaint and what happens next. That includes privacy notices, SAR response templates, website content, customer service scripts and internal guidance where relevant. The ICO says organisations must tell people they can complain at the point personal information is collected and when responding to a subject access request (Information Commissioner’s Office, 2026d). 

The aim should be an audit-ready process: clear ownership, clear timelines, clear records and a clear evidence trail. 


Why this matters now 

The ICO has said it is not looking to catch businesses out, and that there is still time to act. But once the deadline passes, organisations will be expected to demonstrate compliance (Information Commissioner’s Office, 2026a). 

This should not be treated purely as a regulatory deadline. Done properly, it is an opportunity to reduce stress on HR, legal, compliance and operations teams, improve trust, reduce manual effort and make the organisation more resilient when data protection issues arise. The ICO also notes that a set process can improve dialogue, build trust and lead to fewer complaints being escalated to the regulator (Information Commissioner’s Office, 2026d). 

SARs and data protection complaints are not going away. In many organisations, they are becoming more frequent, more sensitive and more closely linked to employee relations, customer trust and operational risk. 

A policy may help you meet the visible requirement. A working, evidenced process is what protects you when someone challenges the way their data has been handled. 

At Assured Digital, we help organisations move from manual data searches to controlled, searchable and evidenced workflows across their existing Microsoft 365 environment. 

If SARs or data protection complaints are becoming a regular headache for your HR, legal, compliance or operations team, we can help you understand where the pressure sits and what a more controlled, evidenced process could look like.


References

Information Commissioner’s Office (2026) ‘One month to go: what businesses need to know to meet new data law’, 20 May. Available at: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/05/one-month-to-go-what-businesses-need-to-know-to-meet-new-data-law/

Information Commissioner’s Office ‘How to deal with data protection complaints’. Available at: https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/

Information Commissioner’s Office ‘What are data protection complaints?’ Available at: https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/what-are-data-protection-complaints/

Information Commissioner’s Office ‘How do we prepare to handle data protection complaints?’ Available at: https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/how-do-we-prepare-to-handle-data-protection-complaints/

Information Commissioner’s Office ‘What do we do when we receive a complaint?’ Available at: https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/what-do-we-do-when-we-receive-a-complaint/

Microsoft ‘Learn about eDiscovery’. Available at: https://learn.microsoft.com/en-us/purview/edisc

Microsoft ‘Create a search for a case in eDiscovery’. Available at: https://learn.microsoft.com/en-us/purview/edisc-search-query

Microsoft ‘Add search results to a review set in eDiscovery’. Available at: https://learn.microsoft.com/en-us/purview/edisc-search-add-to-review-set