The introduction of the Data (Use and Access) Act brings an important new requirement for all education settings: by 19 June 2026, every school and trust must have a clear, accessible, and effective data protection complaints process in place. This duty applies to maintained schools, academies, independent schools, MATs, and local authorities; in short, any organisation processing personal data.
While this may feel like an administrative challenge, especially for Trusts, it’s also an opportunity to strengthen transparency, accountability, and community trust. It's also something GDPRiS is already helping thousands of schools and Trusts prepare for.
Why complaints handling matters more than ever
Individuals have the right to challenge how their personal information is used. A complaint may be raised by anyone who believes their data has been mishandled, whether that relates to:
- Unlawful sharing of pupil information
- Inappropriate access to staff or governor records
- Incorrect data affecting decision‑making
- A failure to respond to a SAR or other rights request
Complaints might come from pupils, parents and carers, staff, governors, trustees, contractors, or wider stakeholders, and can be made verbally, in writing, or online.
Having a robust and consistently applied process isn’t just good practice, it’s now a legal requirement. It also serves as vital protection against reputational risk and escalation to the ICO.
What the ICO expects, and what schools often struggle with
The ICO has strengthened its complaints procedure guidance to help organisations meet the new duties. It sets out what schools and trusts must, should, and could do, including how to:
- Make the complaints route easy to find and understand
- Acknowledge and triage complaints appropriately
- Investigate concerns fairly and consistently
- Communicate outcomes transparently
- Record all decisions for audit and regulatory scrutiny
- Learn from complaints and use them to improve compliance
For busy DPOs and school leaders, the challenge is often not knowing what to do but having the time, structure, and tools to put it into practice.
This is where GDPRiS makes a measurable difference.
How GDPRiS helps schools and trusts stay compliant
GDPRiS has long supported education settings with data protection, workflows, and evidence management. It provides a centralised, secure system that aligns closely with ICO expectations and enables schools to manage data protection complaints with confidence.
✔ A clear, accessible complaints route
GDPRiS offers templates, configurable workflows, and easy‑to‑publish documentation, helping schools make their procedures transparent and compliant.
✔ Structured logging and triage
Complaints can be logged consistently, including verbal complaints, with categories and automated notifications to ensure nothing is missed.
✔ Fair and consistent investigations
The platform guides users through each step, helping DPOs and leaders gather evidence and maintain clear records of every action taken.
✔ Transparent communication
GDPRiS stores correspondence, notes, and decisions in one place, making it easy to produce clear, respectful outcome responses.
✔ Audit‑ready documentation
Every action is timestamped and stored securely, creating a defensible record for governors, trustees, auditors, and the ICO.
✔ Integration with wider compliance
Because GDPRiS also handles incidents, SARs, DPIAs, data mapping, and training, it allows complaints to be managed as part of a wider governance and risk picture, not in isolation.
✔ Learning and improvement
Built‑in reporting tools help identify trends and root causes, supporting better staff training and policy development.
Strengthening accountability across your school or trust
By embedding GDPRiS into your complaints process, you can demonstrate that concerns are handled:
- Fairly and impartially
- Within statutory timescales
- With full transparency
- In line with legal and regulatory expectations
This not only protects your community but also reassures board members and trustees that data protection risks are being actively managed and continuously improved.
Preparing for 19 June 2026, without the stress
With the compliance deadline approaching, many organisations are reviewing their policies, procedures, and systems. GDPRiS provides the structure, consistency, and evidence schools need to feel confident they are meeting the Data (Use and Access) Act’s requirements, as well as the broader expectations of the ICO.
Strengthen complaints governance across every school in your trust. Book a GDPRiS MAT leadership demo and see how we centralise workflows, audit trails, and oversight.
Want templates, checklists, and governance briefing slides your trust can use immediately? Download the MAT Complaints Procedure Toolkit - free for school and trust leaders.