Impact considerations
-
This guidance explains what you need to do to meet the new requirements for you to have a data protection complaints process, as set out in the Data (Use and Access) Act. Although these requirements are not in force until 19 June 2026, we think it is useful for this to be published now so that you are ready for these changes. Even before these requirements are in force, we think that what’s set out in this guidance represents good practice.
Here we have summarised responses received on the likely impact of understanding and applying the guidance. We asked respondents to differentiate between:
- impacts that can be attributed to the guidance: these are affected by how the ICO chooses to develop the guidance; and
- impacts that are not attributable to the guidance: these are impacts that arise from the new legislative requirements in DUAA that controllers are expected to comply with.
Response to impact questions
In the impact section of the consultation, we asked:
- organisations about how the guidance and the new duty would affect them; and
- those not responding on behalf of an organisation if they anticipated any impacts associated with the guidance.
Overall, we received 77 responses to the impact questions (though the response rate varied by question) of which 70 (91%) were from organisations, five (6%) were from individuals acting in a private capacity and two (3%) were “other”. Below we first summarise the responses from organisations and then explore those responding in another capacity.
Existing complaints processes
Organisations were asked whether they had a process in place for any kind of complaint. Of the 67 organisations that responded, the majority (94%, 63 respondents) reported they did.
Table 1: Organisations that have a complaints process
| Response | Number |
|---|---|
| Yes | 63 (94%) |
| No | 1 (2%) |
| Not applicable | 3 (4%) |
| Total | 67 (100%) |
Source: ICO analysis. 67 respondents. Only those responding on behalf of an organisation were asked this question.
Barriers to developing and implementing a data protection complaints process
Organisations were asked to identify the main challenges or barriers to developing and implementing a data protection complaints process. The main barriers reported were aligning with current processes (29%, 15 respondents) and time and resource needed to implement the new process (27%, 14 respondents). The responses are summarised in table 2.
Table 2: What do you consider to be the main challenges or barriers to developing and implementing a complaints process?
| Response | Number of respondents |
|---|---|
| Aligning with current processes | 15 |
| Time and resource to implement | 14 |
| Avoiding conflicts with other guidance | 13 |
| Staff training requirements | 9 |
| Clarity between types of complaints / requests | 9 |
| Consistency within or across organisations | 6 |
| Concerns for duplication of effort | 4 |
| Unclear definitions and timeframes | 4 |
| Lack of templates / further guidance for responses | 2 |
Source: ICO analysis. 52 respondents. Respondents could provide multiple answers. Only those responding on behalf of an organisation were asked this question.
ICO response
We recognise that developing and implementing a complaints process can be challenging. We have produced complaints handling guidance to support organisations to navigate this process. We have outlined in this summary of responses the changes we have made to make this guidance simpler and clearer to follow. We are also publishing this guidance ahead of the provisions of the legislation coming into force in June 2026.
Types of cost as a result of the guidance
Organisations were asked what costs they expect to incur as a result of the guidance. These are summarised in table 3 with familiarisation costs relating to reading and understanding the guidance identified as the main area. A number of organisations also identified additional ‘other’ costs (16%, 11 respondents). We believe that these ‘other’ costs are attributable to the new legal duty rather than the guidance, thus these are discussed in the section ‘estimation of costs as a result of the new legal duty’.
Table 3: Costs expected as a result of the guidance
| Response | Number (%) |
|---|---|
| Time taken to read and understand the guidance | 39 (56%) |
| Any wider familiarisation costs linked to the guidance | 31 (44%) |
| Neither | 19 (27%) |
| Other | 11 (16%) |
Source: ICO analysis. 67 responses. Respondents could provide multiple answers. Only those responding on behalf of an organisation were asked this question.
Estimation of cost as a result of the guidance
Six organisations provided estimates of costs as a result of the guidance. These costs ranged from £500 to £200,000. However, these costs are all encompassing as most respondents were unable to differentiate between costs attributable to the ICO’s guidance and cost attributable to the new legal duty.
ICO response
We recognise that organisations will need time to familiarise themselves with the guidance and that this will come at a cost. However, without this guidance, we believe that organisations would have to spend considerably longer understanding the new legal duty. Overall, we therefore believe that this guidance will reduce costs for organisations.
Estimation of costs as a result of the new legal duty
Organisations were asked if they expect to incur any costs as a result of the new legal duty. Around a third of respondents (36%, 25 respondents) identified costs including:
- provision of staff training (20 respondents);
- updating internal policies (16 respondents);
- developing or adapting the complaints process and embedding it into practice (11 respondents);
- updating external policies including privacy notices and public-facing information (10 respondents); and
- increasing staffing resources (8 respondents).
Respondents found it difficult to provide an estimate of these costs, with several stating they needed a better understanding of the extent of the new duty before being able to do so. In total, ten respondents (14%) provided estimates which ranged from up to £10,000 to over £100,000 (see table 4).
Table 4: Please provide a description and rough estimate of the costs you expect to incur as a result of the new legal duty.
| Cost | No. of organisations | Size of organisation | Types of cost |
|---|---|---|---|
| ≥£100,000 | 2 | 1x Medium 1x Large |
Staff training Reviewing and updating internal procedures Advertising to clients |
| £10,000 - £99,999 | 2 | 1x Small 1x Large |
Handling data protection complaints separately |
| ≤£10,000 | 4 | 2x Large 2x Micro |
Updating website Staff training Reviewing and updating internal procedures Advertising to customers and staff Project management Information governance lead time |
| No estimate provided | 2 | 2x Large | Creating database to log complaints Formalising a process and arranging updates to public-facing guidance Staff training Reviewing and updating internal procedures Admin time |
Source: ICO analysis. Ten respondents. Only those responding on behalf of an organisation were asked this question.
ICO response
We recognise that organisations will face costs as a result of the new legal duty. Through producing guidance, we believe that these costs will be less than they would have been without it.
Benefits as a result of the guidance
Organisations were asked about the benefits expected as a result of guidance (see table 5). Almost half of the organisations (46%, 31 respondents) thought the guidance gave them a better understanding of how to comply with the legislation. Several organisations (7 respondents) did not anticipate any of the benefits listed in table 5.
Table 5: Benefits expected as a result of the guidance
| Response | Number (%) |
|---|---|
| Better understanding of what my organisation must, should and could do to comply with the legislation | 31 (46%) |
| Increased confidence that my organisation is providing a compliant product/service/process | 25 (38%) |
| Able to better support my customers | 9 (14%) |
| Improved reputation from putting a complaints process in place | 9 (14%) |
| Able to address data protection complaints in a timely manner | 8 (12%) |
| Reduced legal or advisory costs | 4 (6%) |
| None of these | 7 (10%) |
Source: ICO analysis. 67 respondents. Respondents could provide multiple answers. Only those responding on behalf of an organisation were asked this question.
ICO response
We are pleased to note that organisations recognise the benefits of the ICO’s guidance.
Views of those not responding on behalf of an organisation
The seven (10%) respondents not responding on behalf of an organisation were asked if they anticipated any impacts (positive or negative) associated with the guidance.
Positive impacts indicated by these respondents included:
- customer expectations being managed; they understand why they may not receive a response to a data protection complaint; and
- the guidance clarifying what to include in a data protection complaints procedure.
Negative impacts indicated by these respondents included:
- controllers interpreting the guidance to make it difficult to make complaints;
- controllers having too much time to acknowledge the complaints; and
- greater resources needed to deal with data protection complaints.
ICO response
We note these potential impacts of the guidance and believe the changes outlined throughout this consultation response reflect these in a proportionate way. In addition, as per our ex-post impact framework, we will consider how to monitor them going forward.