Skip to main content
Home

Executive summary

Contents

UK data protection law gives people the right to complain to us if they believe their data protection rights have been infringed. This includes potential infringements of their rights under the UK General Data Protection Regulation (UK GDPR) or under part 3 or part 4 of the Data Protection Act 2018.

While the law requires us to investigate each complaint ’to the extent appropriate’, it also gives us a great deal of discretion as to how to do this. Our overall procedure is to examine the details of each complaint to determine the appropriate extent of our involvement.

One of the key reasons for proposing our new approach is that, like all public complaint handling bodies, we’re experiencing extraordinary increases in demand for these services. However, unlike many of our counterparts, our funding doesn’t increase with the number of complaints received. We must therefore approach this work differently. The proposed approach is designed to enable us to take action in those cases where significant harm is evidenced and where we can have the greatest impact on improving data protection compliance.

The consultation on our approach to data protection complaint handling set out and sought views on these proposed changes. It explained how we’ve worked until now, outlined our proposed approach and demonstrated how this would allow us to focus on cases where we can make the most difference. By being transparent about the reasons for these decisions, we aim to help the public and organisations understand and support our approach.

Summary of key changes following consultation

Following the consultation on our proposed approach, we’re moving forward with the new way of handling data protection complaints, taking into account the valuable feedback we received. These are the main changes:

  • Clearer framework and criteria:
    We have revised our framework and criteria to make them easier to understand, with clearer explanations and more practical examples.
  • Refined scale of harm:
    We have explained our examples to make it clearer how we assess harm and how different factors may influence the level of harm.
  • Greater transparency and accessibility:
    We have updated our framework and scale of harm to make them more accessible, and we have used plain language. We’ve explained more clearly what we will do with the information we collect from complaints that we record for information purposes only.
  • Greater clarity of overall complaints process:
    To ensure our processes are clearer, we will have a dedicated page on our website explaining:
    • how we’ll handle complaints;
    • the criteria we’ll use;
    • the review process; and
    • how we’ll use the information we collect from complaints.
  • Ongoing review and improvement:
    We will monitor and evaluate the impact of this new approach and commit to a future external audit and a periodic review of the approach and criteria.

By enabling us to identify the most serious complaints, our new approach will help us to focus our resources where they can have the greatest impact.

This will help us to regulate more effectively, leading to better services and outcomes for the public. It will also support our goal to help organisations meet their obligations, strengthen their overall practices and improve data protection standards.

Throughout this document, we provide further information on these changes and how the consultation has shaped our final approach.