Preparing to receive complaints
-
This guidance explains what you need to do to meet the new requirements for you to have a data protection complaints process, as set out in the Data (Use and Access) Act. Although these requirements are not in force until 19 June 2026, we think it is useful for this to be published now so that you are ready for these changes. Even before these requirements are in force, we think that what’s set out in this guidance represents good practice.
Preparing to receive complaints
Respondents were asked to what extent they agreed that this section clearly explains what organisations need to do to ensure they’re prepared to receive data protection complaints. They answered:
- Strongly agree: 17 (22%)
- Agree: 44 (57%)
- Disagree: 10 (13%)
- Strongly disagree: 2 (3%)
- Unsure / don’t know: 4 (5%)
Respondents were asked to what extent they thought the guidance clearly explains how to handle complaints from or on behalf of children. They answered:
- Strongly agree: 9 (12%)
- Agree: 53 (69%)
- Disagree: 7 (9%)
- Strongly disagree: 3 (4%)
- Unsure / don’t know: 5 (6%)
Respondents were asked if they thought there was anything else we should include here. They answered:
- Yes: 36 (47%)
- No: 41 (53%)
Respondents highlighted the following areas:
Definition of a data protection complaint
Many respondents asked us to define a data protection complaint, and they also asked us to clarify how a complaint differs from a rights request or general dissatisfaction.
ICO response
Data protection legislation doesn’t define a complaint, but the DUAA says that people can make complaints "if the data subject considers that, in connection with personal data relating to the data subject, there is an infringement of the UK GDPR or Part 3 of this Act.”
We’ve expanded the guidance to include this detail and have added some more examples.
Method of complaint submission
The draft guidance included a bullet-point list of possible tools people could use to complain. Respondents asked us to clarify:
- whether they must implement all of these tools;
- whether any are mandatory;
- if an email address is enough;
- if complainants could use any contact point that they already have; and
- whether they can use or adapt existing methods.
ICO response
We’ve clarified that although organisations can designate a method for accepting complaints, a complaint submitted through a different method (eg by email rather than through a designated portal) is still valid.
We’ve also made it clear that the suggested methods are optional, that using a single method is sufficient, and we’ve added ‘email address’ as one of the options that people may use. We’ve also clarified that organisations can use or adapt their existing methods.
Writing a complaints procedure
Respondents asked us to clarify whether they need a standalone procedure, what it should include, and whether they must publish it.
ICO response
We’ve changed the recommendation to produce a complaints procedure, to clarify that this is just one option that organisations may consider.
We’ve also included some examples of what information a complaints procedure could include. We’ve made it clear that this information can be incorporated into existing information points.
We’ve also clarified that if organisations have internal procedures for staff to follow when they receive a complaint, they’re not expected to publish these externally.
Alignment with other frameworks or existing processes
Many respondents said they already have existing processes which aren’t data protection specific, but could be used or adapted to accept data protection complaints. Other respondents said they have existing guidance and frameworks which already include timescales, and were keen to understand if they could align their processes.
ICO response
We’ve clarified that as long as organisations can meet the obligations set out in the guidance, they can integrate data protection complaints into their existing processes.
Data protection legislation requires organisations to investigate complaints and provide an outcome without undue delay. We’ve clarified that, if aligning with existing timescales, they must make sure this does not cause an undue delay. What is ‘undue’ is a context dependent concept rather than a prescriptive time, so organisations will still need to make this assessment on a case-by-case basis.
General themes
Respondents also asked for more detail about the following general themes including:
- how to deal with vague complaints made through social media;
- advice around how joint controllers and processors should deal with data protection complaints;
- clarity around who in the organisation is best placed to handle data protection complaints;
- whether there are any exemptions; and
- advice on how to log and track complaints that cover multiple areas.
ICO response
We’ve updated this section to include advice which covers the above points.
We understand that some organisations receive complaints covering multiple areas where data protection is just one part. A small number of organisations have raised concerns that this will be difficult to log and track, eg where only one reference number can be allocated, and asked for more guidance. Organisation’s processes and systems will vary significantly so we aren’t able to include this level of detail in the guidance. However, we are releasing this guidance ahead of the complaint obligations coming into force, to give organisations chance to prepare.
Complaints from children
Respondents asked for clarity or made suggestions in the following areas:
- how to assess competence, consent, and third party authority;
- whether to address the child when someone raises a complaint on their behalf;
- advocacy, including how organisations can help a young person choose an advocate. There were also a few suggestions to make it a requirement for certain groups to be offered an advocate or supporter;
- the Age Appropriate Design Code, with a few respondents requesting more explanation and examples for standard 15;
- whether we can include more examples in the guidance, rather than linking to other resources;
- whether organisations need to implement a child-friendly process, if their service is likely to be accessed only by a small number of children;
- that we expand the children’s section to include more detail about managing complaints from people who some respondents described as ‘vulnerable’ adults and groups with protected characteristics;
- when it’s appropriate to communicate with parents;
- referring to the new duty in Article 25(1) (children’s higher protection matters, introduced by DUAA); and
- clarity around the legal basis for expecting organisations to offer mechanisms for children to flag when their complaint is urgent, and to have safeguarding procedures in place where there’s an ongoing safeguarding concern.
ICO response
We value the feedback in this area whilst noting that some points go beyond the scope of complaints guidance and many of these topics are covered by separate guidance.
Children’s privacy is a priority area for the ICO so we’ve included advice relating to children specifically. We’re also required to have regard to the fact that children merit specific protection regarding the processing of their personal information.
It is however a broad area. To avoid oversimplifying the existing guidance, we’ve included some further reading links. This helps to keep the complaints guidance focused.
We recognise however that respondents would like us to make this clearer for the purpose of complaints handling. We’ve therefore moved ‘complaints on behalf of others’ to its own section. This makes it clear that organisations don’t need to address the child directly when someone makes a complaint on their behalf. We’ve also further clarified where suggestions relate to standard 15 of our Age appropriate design code.
We’ve included reference to child advocacy services, or other relevant not-for-profit organisations. We already have guidance on the role of advocacy services in representing children, which will soon be updated to include bringing a complaint to an organisation.