Two days. That's what's left before the new statutory requirement for formal data protection complaints handling kicks in on June 19th, 2026.
DLA Piper flagged this on June 12th, and if it hasn't crossed your desk yet, you're not alone. Most of the clinic owners I've spoken to recently were aware that UK GDPR imposes obligations on them as data controllers, but the specific requirement for a documented complaints handling procedure is one of those details that sits in the background until suddenly it doesn't.
So here's what's actually required, and what you can do about it before Thursday.
What the Requirement Actually Says
Under UK GDPR Article 77, individuals have the right to lodge a complaint with the ICO if they believe their data is being processed unlawfully. What's changing isn't that right itself. What's changing is the expectation that you, as a data controller, have a documented internal process for receiving and handling data protection complaints before they escalate to the ICO.
This isn't just a paper exercise. The ICO has been explicit in its enforcement guidance that organisations without visible, accessible complaints routes face harder scrutiny when a complaint does land with them. A clinic that can show a complaint was received, logged, reviewed, and responded to within a reasonable timeframe is in a very different position to one that can show nothing at all.
The requirement applies to any private clinic operating as a data controller, which is every independent practice, aesthetics clinic, and specialist centre in the UK. There's no size threshold. A single-room aesthetics studio processes patient data, appointment data, payment data, and potentially special category health data under Article 9. The obligations apply in full.
What a Compliant Process Looks Like
You don't need a 40-page policy. You need something that works and that you can evidence.
At minimum, your process should cover four things.
First, a named point of contact for data protection complaints, whether that's your Data Protection Officer if you've appointed one, your practice manager, or yourself. That name and a contact method should appear in your privacy notice.
Second, a log. Every complaint should be recorded: the date received, who raised it, what it concerns, what action was taken, and when you responded. A spreadsheet is fine. The point is the audit trail.
Third, a response timeframe. The ICO expects complaints to be acknowledged promptly and resolved or escalated within a reasonable period. One month is the standard reference point for data subject requests under Article 12, and it's a sensible benchmark for complaints too.
Fourth, an escalation route. Your process should tell the complainant that if they're unhappy with your response, they can go to the ICO directly at ico.org.uk. That's not an admission of fault; it's a legal requirement to make the supervisory authority route visible.
The Special Category Problem for Clinics
Health data is Article 9 special category data. That matters here because a data protection complaint in a clinical setting often involves information that is more sensitive, more personal, and more potentially damaging than a complaint about, say, a retail loyalty scheme.
A complaint from a patient who believes their records were accessed without authorisation, or that their data was shared with a third party they hadn't consented to, carries real reputational risk on top of the regulatory exposure. The ICO's fining record in healthcare has been unambiguous: they take health data breaches seriously, and the absence of internal process makes outcomes worse, not better.
This is also why the complaint log matters beyond compliance. If a pattern emerges, say, three patients in six months all concerned about how their before-and-after photos are being used, that pattern is information. It tells you something is broken in your consent workflow before it becomes a formal breach report.
What to Actually Do Before Thursday
If you have a privacy notice on your website, check right now whether it contains a complaints contact. If it says something like "contact us at info@yourclinic.com with any concerns", that's a start, but it should specifically name a complaints route for data protection matters and reference the right to go to the ICO.
If you don't have a data protection complaints log yet, create one today. Date, name, nature of complaint, action taken, date resolved. Five columns. That's enough.
If you have staff who handle patient enquiries, they need to know what to do when someone raises a data concern. That doesn't have to be formal training this week. A one-paragraph note explaining who to pass it to and that it needs to be logged is sufficient as an immediate measure.
If you've got contracts with third-party processors, whether that's a practice management system, a payment processor, or a marketing platform, make sure your process covers the step of checking whether a complaint might involve data held or processed by one of them. Under UK GDPR you're still the controller. Their mistake is still your problem with the ICO.
HealSuite logs patient data interactions and consent records in one place, which means when a complaint does come in, the audit trail is already there rather than scattered across email threads and paper notes. That's not a silver bullet, but it does mean the first 20 minutes of handling a complaint are less chaotic.
If You Miss Thursday
The requirement being in effect doesn't mean the ICO will audit you on June 20th. Enforcement follows complaints and breaches, not a calendar. But if a patient raises a data protection concern on June 25th and you have no process, no log, and no named contact, that absence is now evidence of non-compliance with a requirement you had notice of.
Getting this in place next week rather than this week is not a catastrophe. Getting it in place is the point. The risk is in not having it at all, not in the precise date you created the spreadsheet.
One thing worth doing regardless of your timeline: read the ICO's published guidance on data subject complaints at ico.org.uk. It's plainer than most regulatory guidance, and the FAQ section covers the scenarios most likely to come up in a clinical setting.
The deadline is Thursday. The process takes an afternoon to set up properly. That's a reasonable trade.