Acceptable Risk (Documented)

Because "documented" isn't a mitigation strategy

Complaints Handling Becomes a Real Governance Control

When the Freedom of Information Act came into force, I was brought in to build and manage an internal audit team for a large government agency.

The FOI compliance picture wasn’t the reason I was there. It emerged during the audit. Requests that had been missed entirely. Others within days of breaching the statutory deadline. Not negligence — the process existed and people were trying. But the obligation had landed faster than the organisation could absorb it, at a volume and complexity that outpaced both the procedure and the people running it.

The deeper problem was simpler than it looked. When you don’t fully understand what an obligation requires, you don’t recognise it when it arrives. Requests came in through post, email, phone logs, ministerial correspondence, walk-ins. Some didn’t announce themselves as FOI requests. Some were being handled by people who didn’t know the clock had started.

The Data (Use and Access) Act 2025 is creating the same conditions right now for data protection complaints. From 19 June 2026, the question changes — not whether you have a process, but whether it works at the volume and complexity it will actually face. Not the volume the flowchart was designed for.

Most organisations think they’re ready because they have a privacy inbox and a DPO contact point.

That’s the flowchart. It isn’t the control.

The Recognition Failure

The FOI problem wasn’t mostly a channel problem. Yes, requests arrived everywhere. But the channel proliferation was a symptom. The cause was that people didn’t know what they were looking at when it arrived.

A letter that said “please send me all information you hold about X” was an FOI request. A phone call asking the same question was an FOI request. A piece of ministerial correspondence with a question buried in paragraph four was an FOI request. None of them needed to use the words “Freedom of Information” to start the clock.

That recognition gap is where most of the near-misses lived. Not in the process. In the moment before the process started — when someone received something, didn’t identify it as a formal obligation, and handled it as something else entirely.

Data protection complaints work the same way. A customer saying “you’re still sending me emails after I asked you to stop” is a complaint. “Why do you still have my details?” is a complaint. “I didn’t give you permission to share that” is a complaint. None of them need to say “data protection” or “UK GDPR” or “ICO” to create an obligation.

The risk isn’t only whether your privacy inbox is monitored. It’s whether the person who takes the call, reads the email, handles the live chat, or opens the post knows what they’re holding when a complaint arrives through them.

In the FOI audit, the requests that caused the most difficulty weren’t the ones that arrived through the wrong channel. They were the ones that arrived through the right channel and still weren’t recognised. That’s a training and understanding problem, not a process problem. And it doesn’t show up on a flowchart.

The test isn’t whether your staff know the procedure. It’s whether they know what the obligation is actually for.

The Three Controls That Matter

Most complaints handling guidance produces a list. Intake routes, ownership, escalation, evidence logging, timeline tracking, governance reporting, resourcing, periodic review. All of it is defensible. Most of it is downstream of the same three failure modes the FOI audit exposed.

Fix these three and the rest follows. Leave any of them broken and the rest is decoration.

Recognition Capacity

Can the people who first touch a complaint identify it as one?

Not the DPO. Not legal. The account manager, the customer service agent, the person who answers the phone, the PA who opens the post. The obligation starts when the complaint arrives, not when it reaches the person responsible for handling it.

The practical check is uncomfortable. Pull the last twenty customer service tickets. Review the last month of shared mailbox traffic. How many contained a data protection element that wasn’t escalated? If you don’t know, you have a recognition gap. If the number is zero, you probably have a recognition gap and a measurement problem.

Training that covers procedure without covering substance doesn’t fix this. Staff need to understand what a complaint is for — what right it protects, what obligation it creates — not just which inbox to forward it to.

Capacity Reality

Is the process built for the volume it will actually face, or the volume someone estimated when the procedure was written?

The FOI near-misses weren’t caused by bad process design. They were caused by a process that assumed manageable volume meeting an obligation that arrived at scale, with complexity, while the people running it were still learning. That combination — high volume, high complexity, low familiarity — is exactly what a new legal obligation produces in its early years.

The honest capacity question isn’t whether you have enough people on a normal week. It’s whether the process holds when three complex complaints arrive simultaneously, the DPO is on leave, and one of them involves a subject access request running in parallel. If the answer depends on one person remembering, you don’t have a control. You have a dependency.

Track actual time spent per complaint for one month. Compare it against available capacity. Look at peaks, not averages. If demand routinely exceeds capacity, the process is carrying a resourcing risk that no procedure document will fix.

Evidence Discipline

Could you produce the complete file for any complaint closed in the last six months — tomorrow, if asked?

Not a summary. Not a chain of emails. A coherent record: when it arrived, when it was acknowledged, who owned it at each stage, what was investigated, what decision was made, how the outcome was communicated, when it was closed.

The ICO doesn’t ask whether you had a process. It asks what happened. That question can only be answered with evidence, and evidence only exists if someone created it at the time — not reconstructed it afterwards when the request landed.

In the FOI audit, the requests closest to deadline weren’t always the ones where nothing had been done. Sometimes work had been done and nobody could prove it. The evidence gap was as damaging as the process gap.

If your complaints handling depends on individual memory or inbox archaeology, that’s the first thing to fix.

Summary

The FOI regime bedded in. It took longer than anyone expected, cost more than the flowchart suggested, and required the kind of tuning that only happens when you run the process against reality rather than against a diagram. The organisations that came through it well weren’t the ones with the most detailed procedures. They were the ones that understood what the obligation was actually for — and built capacity around that understanding rather than around the paperwork it generated.

The Data (Use and Access) Act 2025 is a smaller obligation than FOI in scope. But the conditions are the same. A new legal requirement. Channel proliferation nobody has fully mapped. Staff who know a process exists but haven’t yet been tested on whether they can recognise the thing the process is supposed to catch. And a regulator that will ask for the file, not the policy.

The pattern will be familiar to anyone who has worked through operational resilience requirements. The controls that hold under pressure aren’t the ones that looked tidiest on paper. They’re the ones that were owned, tested, and evidenced before anyone needed to rely on them.

This expectation — that complaints handling is visible, accessible, and demonstrably functional — isn’t new thinking. Businesses operating in Spain have displayed mandatory complaints procedures prominently for years. The DUA Act is the UK version of an obligation other markets normalised long ago.

The organisations that come through this well will be the ones that didn’t wait for the date. They’ll have asked the questions the audit asks. Not whether the flowchart covers the right steps. Whether the people running it know what the obligation is for. Whether the capacity matches the reality. Whether the evidence exists.

When the first DUA Act enforcement action lands — and it will — the question won’t be whether you had a process. It’ll be the same one I was asking in that government agency audit twenty-odd years ago.

What did you actually miss, and when did you find out?

Acceptable Risk (Documented)

Primary legislative and regulatory sources

  1. Data (Use and Access) Act 2025 — Section 103, inserting Section 164A into the Data Protection Act 2018. Royal Assent 19 June 2025. Complaints handling requirements in force 19 June 2026. gov.uk — https://www.gov.uk/guidance/data-use-and-access-act-2025-data-protection-and-privacy-changes
  2. ICO — How to deal with data protection complaints (guidance published 12 February 2026, updated 8 May 2026) ico.org.uk — https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/
  3. ICO Annual Report 2024/25 — 42,315 data protection complaints received, up from 39,721 in 2023/24. ico.org.uk — https://ico.org.uk/about-the-ico/our-information/annual-reports/ Scl

Supporting legal commentary — DUAA complaints regime

  1. Mayer Brown — Preparing for the Data (Use and Access) Act 2025: Upcoming Complaints Procedure Requirement (February 2026) mayerbrown.com — https://www.mayerbrown.com/en/insights/publications/2026/02/preparing-for-the-data-use-and-access-act-2025-upcoming-complaints-procedure-requirement
  2. Travers Smith — Get ready for the new data protection complaints handling rules (February 2026) traverssmith.com — https://www.traverssmith.com/knowledge/knowledge-container/get-ready-for-the-new-data-protection-complaints-handling-rules/
  3. Burges Salmon — The Data (Use and Access) Act 2025: Preparing for the new Data Protection Complaints Handling Rules, Part 3 (April 2026) burges-salmon.com — https://www.burges-salmon.com/articles/102mnc5/the-data-use-and-access-act-2025-preparing-for-the-new-data-protection-complai/
  4. Womble Bond Dickinson — Data protection complaints: are you ready? (April 2026) womblebonddickinson.com — https://www.womblebonddickinson.com/uk/insights/articles-and-briefings/data-protection-complaints-are-you-ready
  5. Shoosmiths — Not such a modest duty: why the new DUAA complaints regime deserves attention, Journal of Data Protection Vol.26 Issue 5 (April/May 2026) shoosmiths.com — https://www.shoosmiths.com/perspectives/stories/articles/not-such-modest-duty-why-new-duaa-complaints-regime-deserves-attention

ICO complaints volume and enforcement context

  1. ICO Annual Report 2024/25 — complaints receiving no response within 90-day timeframe increased from 15.2% in 2023/24 to 70% in 2024/25. Analysis by Professor David Erdos, University of Cambridge (July 2025) inforrm.org — https://inforrm.org/2025/07/22/the-uk-information-commissioners-annual-report-2024-25-surveying-a-systematic-trend-away-from-adequate-enforcement-david-erdos/

Discover more from Acceptable Risk (Documented)

Subscribe now to keep reading and get access to the full archive.

Continue reading