Investigate the complaint
-
This guidance explains what you need to do to meet the new requirements for you to have a data protection complaints process, as set out in the Data (Use and Access) Act. Although these requirements are not in force until 19 June 2026, we think it is useful for this to be published now so that you are ready for these changes. Even before these requirements are in force, we think that what’s set out in this guidance represents good practice.
Investigate the complaint
The law requires controllers to take appropriate steps to respond to complaints without undue delay, which includes making enquiries to the extent appropriate. Respondents were asked to what extent they agreed this section clearly explained this. They answered:
- Strongly agree: 11 (14%)
- Agree: 43 (56%)
- Disagree: 19 (25%)
- Strongly disagree: 1 (1%)
- Unsure / don’t know: 3 (4%)
The law also requires controllers to keep the complainant informed about the progress of the complaint. Respondents were asked to what extent they agreed this section clearly explained this. They answered:
- Strongly agree: 15 (19%)
- Agree: 47 (61%)
- Disagree: 13 (17%)
- Strongly disagree: 2 (3%)
- Unsure / don’t know: 0 (0%)
Respondents were asked if they thought there was anything else we should include here. They answered:
- Yes: 23 (30%)
- No: 54 (70%)
Respondents highlighted the following areas:
Undue delay
A high proportion of respondents asked us to clarify what “without undue delay” means. Many asked us to provide a time period, and to include some factors that can be considered too.
ICO response
We recognise that organisations would like us to set out a specific time period within which we expect they should investigate the complaint. The legislation says “without undue delay”, which is context dependent. We’ve therefore provided advice around how to complete the investigation “without undue delay”.
This will vary from one complaint to another, and from one organisation to another. A timeframe that is justifiable for one complaint may be unjustifiable for another. The factors that could lead to any delay will also differ, but we’ve included some broad categories as a starting point for organisations.
To support decision-making, we’ve clarified that organisations should consider all the facts of the complaint on a case-by-case basis. This will help them judge whether the time taken to provide an outcome is likely to be unjustifiable or excessive.
As with many concepts in data protection, the approach depends on the context.
Appropriate extent of enquiries
Many respondents asked us to clarify what is meant by “appropriate”. A small number pointed out that what is appropriate will vary, because it depends on the nature of the complaint. One respondent highlighted that the appropriate level of enquiries must also involve a reasonable and proportionate response that reflects the nature of the complaint. A small number of respondents also asked how they should approach complaints they see as ‘vexatious’ or ‘excessive’.
ICO response
What’s considered an appropriate level of enquiries will depend on the circumstances, and organisations will need to make a case-by-case assessment.
There are many factors that can influence what is appropriate. These can vary widely depending on the context and the organisation involved. It will be for the organisation to judge based on what they think is reasonable in that particular context.
Section 164A DPA doesn’t include a provision for complaints that are ‘vexatious’ or ‘excessive’. Instead, it requires organisations to make enquiries to the appropriate extent. Organisations will need to be able to justify why the steps they took were appropriate in the circumstances. We’ve clarified though, that organisations aren’t expected to take steps which are unreasonable or disproportionate in the circumstances.
Keeping people informed of progress
Some respondents asked us to clarify how often they should update complainants, and what updates should include.
ICO response
We’ve clarified that in practice, updates will usually be about how long the investigation is taking, rather than a detailed explanation of each step or enquiry. Keeping the complainant informed about the timing may naturally involve explaining the reasons for any delays, but the outcome is likely to be the best place to set out the steps taken in full.
There isn’t a fixed rule on how often organisations should provide updates, as this will vary from one complaint to another.