New mandatory data complaints procedures are required from next month - What should barristers & chambers have in place?

From 19 June 2026, individuals in the UK will have a statutory ‘right to complain’ about the handling of their personal data by an organisation. As a result, every data controller in the UK will be legally required to have a formal procedure in place for handling such complaints. The obligation is introduced by Section 103 of the Data (Use and Access) Act 2025, which inserts a new Section 164A into the Data Protection Act 2018. For barristers and chambers — both of which regularly act as data controllers — the deadline is now weeks away. 

Why this applies to barristers and chambers 

A data controller is any person or organisation that determines the purposes and means of processing personal data. Self-employed barristers process personal data about clients, opponents, witnesses, and instructing solicitors in the course of their practice. Chambers process data about members, pupils, staff, and visitors. Both are data controllers in their own right, and both fall within the scope of this requirement. 

This is not a large-organisation obligation. The Act applies to all data controllers regardless of size, sector, or the volume of data they handle. 

What the new requirement means in practice 

Before the deadline, data controllers must have in place a complaints procedure that meets a specific set of requirements. Complaints must be capable of being submitted electronically as well as by other means. Acknowledgement must be given within 30 days of receipt. The process must include reasonable enquiries into the complaint, keep the complainant informed of progress, and communicate the outcome in plain and accessible language. Individuals must be told of their right to escalate to the ICO if they are not satisfied with the response. 

Critically, this requirement creates a new ‘first-tier’ step in the complaints process. Data subjects must first raise a complaint with the data controller before they can escalate  to the ICO. This shifts more of the handling responsibility onto the organisation and makes having a documented, functioning process a regulatory necessity rather than a best practice. 

The ICO's draft guidance proposes that outcomes should be provided within three months, unless exceptional circumstances apply. 

What chambers and barristers should have in place by 19 June 

The minimum is a written complaints-handling policy that sets out how data protection complaints are received, acknowledged, investigated, and resolved. That policy needs to define who within chambers or the individual's practice is responsible for handling complaints, what the expected timelines are, and how outcomes are communicated. 

Alongside the policy, there should be a means by which complaints can actually be submitted — including electronically — and that route should be clearly signposted in privacy notices. A log for recording complaints and their outcomes will also be necessary for demonstrating compliance if the ICO asks. 

For chambers with a compliance officer or GDPR lead, reviewing what is currently in place and assessing whether it meets the new standard is the immediate priority. Chambers that have not reviewed their data protection documentation recently should treat the June deadline as the prompt to do so. 

What comes next 

The ICO is expected to publish final guidance on complaints handling for organisations in the coming weeks. That guidance will inform how enforcement is approached, though the ICO has signalled a measured approach during the transition period. Final guidance or not, the legal obligation takes effect on 19 June and the requirement to have a procedure in place is not contingent on that guidance being published.