The New UK Data Complaints Law Is Now in Force: What It Means When Someone Asks What Happened to Their Data
On 19 June 2026, a change to UK data protection law came into force that applies to every organisation that controls personal data, regardless of size or sector. UK organisations face two clear, non-negotiable shifts in data protection requirements: a mandatory, formalised complaints process for all data controllers, and significantly higher expectations around transparency when AI is used to process personal data. These changes mark a decisive move by regulators to put accountability and clarity at the centre of data governance, with no exemptions by size or sector.
Most of the commentary since 19 June has focused on what this means for handling routine data subject complaints: marketing emails, subject access requests, general grievances about data handling. Almost none of it has addressed the specific scenario this creates for IT asset disposal. That gap is what this article closes.
Key takeaways
Since 19 June 2026, every UK data controller must operate a formal, documented complaints process. There are no exemptions by organisation size or sector.
Individuals must now raise complaints with the controller first. Only if dissatisfied, or if the controller fails to respond within a reasonable timeframe, can they escalate to the ICO.
Controllers must acknowledge complaints within 30 days, investigate without undue delay, and communicate the outcome.
A complaint about "what happened to my data" on a retired device requires documented evidence to answer honestly. A verbal assurance is not a response.
PECR penalties are now aligned with UK GDPR at up to £17.5 million or 4% of global turnover, applying the same financial exposure to complaints handling failures as to data breaches.
What actually changed on 19 June
Before this date, an individual who was unhappy about how an organisation had handled their personal data could complain directly to the ICO with no obligation to raise the issue with the organisation first. From 19 June 2026, that route changes. Data subjects can currently complain directly to the regulator; from June 2026, they must first raise complaints with the controller. Only if dissatisfied with responses or if controllers fail to respond within reasonable timeframes can people escalate the matter to the ICO.
This means every organisation processing personal data must now have a functioning, documented, accessible complaints process. By June 2026, every organisation processing personal data must establish and operate a formal complaints process, which means visible links from privacy notices, accessible complaint forms, and clear explanations of handling procedures including expected timeframes. Controllers must acknowledge complaints within 30 days, take appropriate steps without undue delay including any necessary enquiries and updates to the complainant, and communicate the outcomes.
The practical shift is significant. Complaints that would previously have gone straight to a regulator now land on your desk first, with a clock running from the moment they arrive.

The scenario nobody has connected to ITAD
Here is where this law intersects directly with IT asset disposal, and where almost no commentary on the 19 June changes has gone.
A former employee emails your organisation. They ask what happened to their old company laptop after they left, because they are worried about photos, personal messages or financial information that may have been on it. A former client asks what happened to the case files that were stored on a server you decommissioned two years ago. A customer whose data was on a system you retired during a cloud migration asks for confirmation their information was properly destroyed.
Every one of these is now, formally, a complaint under the new regime. It must be logged. It must be acknowledged within 30 days. It must be investigated properly and the outcome communicated. And here is the problem for organisations without a certified IT disposal process: you cannot investigate properly, and you cannot answer honestly, without documented evidence of what actually happened to that specific device.
"We're pretty sure it was wiped" is not an investigation outcome. "I believe it went to a recycling company" is not a documented response. Under the new complaints regime, vague answers to specific questions about data handling are themselves a compliance failure, separate from whatever happened to the device in the first place.
What you need on file to answer a disposal complaint properly
A complaint asking what happened to data on a specific device can only be answered properly with four pieces of documentation.
A serial-level Certificate of Destruction naming the specific device. Not a generic statement that "devices from that period were disposed of responsibly." The actual serial number of the actual device the complainant is asking about, matched against your asset register.
The sanitisation method and standard applied. NIST SP 800-88 Rev. 2 at minimum, with the specific level (Clear, Purge or Destroy) confirmed. This tells the complainant, and if necessary the ICO, exactly what technical process was applied to their data.
Dates of collection and destruction, confirmed separately. This establishes the timeline: when the device left your custody, and when the data was confirmed destroyed. A gap between those two dates with no explanation is itself a red flag in an investigation.
A chain of custody record. From your site to the licensed processing facility to final outcome. This demonstrates the device did not sit unaccounted for at any point in the process.
Organisations that have used a certified ITAD partner for every disposal job can produce this documentation within minutes of a complaint arriving. Organisations that have not have no honest answer to give, and thirty days is not long enough to reconstruct records that were never created in the first place.
Why the financial exposure has changed too
PECR penalties now align with UK GDPR levels at £17.5 million or 4% of global turnover, elevating cookie compliance to the same financial risk as data security breaches. While PECR specifically covers electronic communications and cookies, the broader signal from this alignment is consistent with the ICO's overall enforcement direction: financial exposure across data protection failures, including inadequate complaints handling and inadequate evidence of appropriate technical measures, is converging toward the same maximum ceiling. Since 2019, UK GDPR enforcement has generated £65 million in fines across just 16 penalty notices, and the trajectory is upward, not downward.
A complaint that is poorly handled because the organisation cannot produce evidence of what happened to a device is not just a customer service failure. Under the new regime, it is a documented, timestamped compliance gap that the complainant can escalate to the ICO the moment your 30-day response window closes without a satisfactory answer.
What to do before the next complaint arrives
Three actions close the gap this law has created.
Confirm your complaints process actually exists and is accessible. A visible link from your privacy notice, an accessible complaint form, and a clear internal process for acknowledgement within 30 days. If this does not exist yet, it should have been in place since 19 June.
Audit your IT disposal records for the past several years. For every device retired, do you hold a serial-level Certificate of Destruction? If there are gaps, particularly for devices disposed of before you engaged a certified ITAD partner, those gaps are now a live risk every time a former employee or client asks a question.
Ensure every future disposal produces the documentation a complaint would require. Serial-level certification, named standard, dated chain of custody. This is not extra paperwork. It is the only thing standing between your organisation and an honest answer when someone asks what happened to their data.
Retire your IT. Recover its value. Prove it is gone.
NanoSoft provides certified IT asset disposal with the serial-level documentation your organisation needs to answer a data disposal complaint honestly and within the 30-day window the new regime requires. Every job produces a Certificate of Destruction naming the device, the standard applied, and the complete chain of custody.
Contact NanoSoft: services@nanosoftltd.com | 0800 677 1344 | Unit 8 & 9 Maldon Trade Park, Heybridge, Maldon CM9 4LJ, UK
NanoSoft
Writer at Nanosoft - covering ITAD, data security, and sustainable technology lifecycle management.
Found this useful? Share it.



