About the Information Commissioner's Office
Responses to ICO consultations and calls for views
Summary of responses to the ICO consultation on draft changes to how we handle data protection complaints

Summary of responses to the ICO consultation on draft changes to how we handle data protection complaints

Contents

Commissioner’s foreword to consultation responses on ICO complaints handling

If people are concerned about how an organisation has handled their personal information, they can come to us at the ICO for help.

We are here to make sure organisations respect people’s rights and support organisations to get this right.

But the volume of complaints we receive is at a record high, and our services continue to face extraordinary demand.

Our current model for handling complaints is stretched to its limit. With the same finite resources, we have struggled to meet this increase, taking far longer than we would like to address people’s concerns.

To be effective, we must be strategic a regulator that prioritises complaints where there is the greatest risk of harm and intervenes where it matters the most.

That is why we have decided to think differently and consider new strategies to transform how we handle data protection complaints.

Our aim is to provide a service that delivers prompt and proportionate responses to every customer, while driving compliance and accountability from organisations.

In August 2025, we set out these proposals to transform our approach to complaint handling and strengthen our effectiveness as a regulator.

We invited a range of views via our consultation and engagement sessions with stakeholders, so thank you to everyone who has contributed. Your feedback was vital in helping us to refine and shape the new framework.

This document summarises the feedback we received on our proposals and how we have taken it on board to reach a final model.

Under the new framework, we will use a clear set of criteria to assess each complaint as it comes in. This means we can focus our resources where we can have the biggest impact and provide meaningful outcomes in cases where serious harm is clear or systemic issues are revealed.

Insight from every complaint will help us to understand an organisation’s approach to data protection, so we can raise standards and drive improvements across the board. We will also introduce new reporting mechanisms to monitor trends and identify any emerging risks that we may need to address.

While we appreciate that not everyone will welcome these changes, we hope transparency about our decision-making will help both the public and organisations to understand and engage with our new complaints process.

The Data (Use and Access) Act places new obligations on organisations to improve their own complaint handling processes too, so we may start to see more complaints resolved without our intervention.

We are confident that our updated framework will deliver a fair, efficient and impactful complaints process. Your feedback will continue to be valuable as we review and revise our approach to ensure it is as effective as possible.