In advance of new obligations under the Data (Use and Access) Act, the ICO has published some draft guidance on handling data subject complaints. This episode breaks down some of the ICO's expectations in this area.

As always, the ICO sets out three tiers: 

• "Must": Legal duties, for example, under UK GDPR or DPA 2018. 

• "Should": Good practice stuff that you should do unless there's a good reason not to.

• "Could": Optional steps to help you comply. 

According to the ICO, core obligations include: 

• Giving people a way to complain directly to your organisation

• Acknowledging complaints within 30 days (NOT one month, as with data subject rights) 

• Investigating the complaint and responding without undue delay

• If the complaint was raised on the data subject's behalf, checking that the person has the authority to act for them.

• Keeping records about the complaint while respecting data minimisation. 

The "shoulds" include publishing a clear complaints procedure, training staff to recognise complaints, and ensuring cover during absences. 

Special considerations apply for children, such as using child-friendly language and handling safeguarding concerns (if relevant). 

The ICO has long told data subjects that they must approach organisations first before coming to the regulator. This remains ICO policy only, as neither the UK GDPR nor DPA 2018 requires the data subject to do this.

But the DUAA will codify this practice, and will give controllers new statutory duties around complaint handling.

I would suggest reviewing your complaints with these new obligations in mind. 

Although—for whatever reason—it does not mention the DUAA at all, the ICO's draft guidance is probably a good place to start.

The guidance is open for comments until 19 October.

As always, feel free to get in touch if you need help implementing any of this.