As of June 19, 2026, the ICO's updated guidance on internal data protection complaints handling has legal weight it previously lacked. If your clinic doesn't have a documented process for receiving, acknowledging, and responding to data protection complaints, you're not just behind on best practice. You're out of compliance.
The change is specific. Under the new mandate, any organisation handling personal data, which includes every private clinic and aesthetics practice in the UK, must operate a formal internal complaints process that individuals can actually find and use. Complaints must be acknowledged within 30 days. Only after that window can the individual escalate to the ICO. The 30-day acknowledgement isn't optional padding; it's a legal precondition for ICO escalation, which means your process will be the first thing an ICO caseworker asks about if a complaint ever lands on their desk.
Mishcon de Reya flagged this on June 23, 2026, noting that many organisations are treating it as a paper exercise. That's the wrong read.
What the Mandate Actually Requires
The ICO's position is that a "formal, accessible" process means something a patient could find without calling you. A policy buried in a staff handbook or mentioned once in a privacy notice nobody reads doesn't qualify.
At minimum, you need:
- A named point of contact for data protection complaints (this can be your Data Protection Officer if you have one, or a designated staff member if not)
- A way for patients and staff to submit a complaint in writing, whether by email, a form on your website, or both
- A documented acknowledgement step within 30 calendar days
- A record of the complaint and your response
That last point is where most small clinics will fall down. Keeping a log isn't glamorous, but if the ICO ever investigates, you'll need to show the complaint came in on a specific date and that you responded within the window. A spreadsheet works. So does a field in your practice management software, if it supports it. HealSuite's document management section can hold complaint records against a patient file, which keeps everything in one place rather than scattered across inboxes.
Why This Hits Clinics Harder Than Other Businesses
A GP practice or NHS trust typically has a complaints team, a PAL service, a governance lead, and a layer of administrative infrastructure that absorbs this kind of requirement without much visible effort. A two-person aesthetics clinic in Manchester or a six-room private GP in Edinburgh doesn't have that.
You're also handling some of the most sensitive categories of personal data that exist. Health data under UK GDPR sits in the "special category" tier, which means your obligations are higher and the ICO's scrutiny is sharper. If a patient believes their before-and-after photos were shared without proper consent, or that their medical history was visible to someone it shouldn't have been, a data protection complaint is exactly how they'll raise it.
The NHS reported over 11,000 data security incidents to the ICO in 2024 to 2025. Private providers aren't immune, and unlike a large trust, a single ICO investigation can consume a significant fraction of a small clinic's management capacity for months.
What You Need to Do This Week
Start with a gap analysis. Ask yourself three questions:
- Can a patient find out how to make a data protection complaint from your website or their consent paperwork right now?
- Is there a named person who would receive that complaint?
- Does that person know what to do when it arrives?
If any of those answers is "not really", that's where you start.
Update Your Privacy Notice
Your privacy notice, the one on your website and ideally referenced in your patient intake forms, should include a clear section on how to make a data protection complaint. Name the contact. Provide an email address or a form link. State that you'll acknowledge complaints within 30 days. This doesn't need to be long. Two short paragraphs is enough.
Create a Simple Complaints Log
A shared spreadsheet with five columns covers it: date received, name of complainant (or "anonymous" if applicable), brief description of the complaint, date acknowledged, and outcome. The point isn't to build a system. The point is to have a record you can show someone.
Brief Your Staff
If the person at your front desk doesn't know what a data protection complaint looks like, they won't recognise one when it arrives. A 15-minute team conversation is enough: here's what it is, here's who to pass it to, here's that it has a 30-day clock.
Check Your Existing Policies
If you have a general complaints procedure already, check whether it explicitly covers data protection complaints or whether it assumes those are the same thing as clinical complaints. They're not. A patient complaining about a clinical outcome goes through a different channel than a patient complaining that you emailed their results to the wrong address. Your policies should reflect that distinction.
The 30-Day Clock Is Stricter Than It Looks
One thing worth understanding clearly: 30 days to acknowledge is not the same as 30 days to resolve. You need to confirm receipt and let the complainant know you're looking into it within that window. The full investigation and response can take longer, but the acknowledgement step has a hard deadline.
If you miss it, the individual can go straight to the ICO, and your failure to acknowledge in time becomes part of the case against you. The ICO will ask whether you had a process. If you didn't, or if you had one that wasn't accessible, that's an aggravating factor.
One Honest Caveat
The ICO's guidance still leaves some room for interpretation around what "accessible" means in practice for very small providers. A sole-practitioner clinic and a 15-clinic group are not facing identical expectations, even if the legal baseline is the same. The ICO hasn't published sector-specific guidance for independent aesthetics or private GP practices as of this writing, which means you're working from the general framework.
My reading is that "accessible" means a patient who wanted to complain could figure out how to do it without you helping them. That's a reasonable bar. If you'd need to explain the process to someone asking, it's probably not accessible enough yet.
Get the basics in place now. Refine as the ICO publishes more specific guidance, and watch the Mishcon de Reya and BMA data protection bulletins over the next few months, both have been tracking this more closely than most.