Impact of our proposed approach
The draft impact assessment of the proposed approach sets out an initial outline of the potential costs and benefits for different affected groups.
As part of the consultation, we sought feedback on the impact assessment in addition to any wider insights respondents were able to provide on impacts.
In more detail
This section presents these findings, which are divided into:
- Affected groups
- Costs and benefits outlined in the impact assessment
- Costs and benefits to the respondents
- Further evidence
Affected groups
The impact assessment identified groups likely to be impacted by the approach. These were:
- members of the public who raise data protection complaints with us;
- organisations;
- us; and
- the general public or UK wider society.
We asked respondents whether they agreed with the identified list of the affected groups in Section 5.4 of the impact assessment.
The majority of respondents (64%, 47 respondents) either strongly agreed or agreed with this list of affected groups (11% strongly agree, 53% agree). A quarter (24%, 18 respondents) either strongly disagreed or disagreed (12% strongly disagree, 12% disagree), and the remaining nine respondents (12%) were unsure.1
Additional affected groups
We asked respondents to identify any other groups who would be affected by the approach who weren’t covered in our draft impact assessment, to which 30 (41%) responded. Their responses are summarised below.
Table 1: Additional affected groups
| Affected groups | Description |
|---|---|
| Courts, tribunals and the legal profession (10 respondents) | Courts and tribunal caseloads, and demand for legal professionals, may increase due to people opting for private litigation if their complaint is not actioned by us, as well as section 166 applications to the First Tier Tribunal and applications for permission to bring judicial review claims against the Commissioner. |
| Legal and advocacy organisations (eight respondents) | Organisations or people who support people in navigating the complaints process would need to ensure their processes are adequate and in line with the approach. |
| ‘Vulnerable individuals’ such as people with disabilities, elderly people or people who face a language barrier (seven respondents) | People in this group may not have the level of understanding or digital literacy skills required to articulate the harm they have experienced. This could result in failure to see complaints reach the threshold2 for further consideration by us. |
| Elected representatives, including members of parliament and councillors (four respondents) | Elected representatives might face more pressure from the people they represent to take up cases of unresolved complaints. |
| Journalism and media organisations (four respondents) | Journalists who use data protection complaints to try to increase transparency may have their ability to do so limited where complaints are deemed low risk. |
| Source: ICO analysis. | |
ICO response
We have considered the views expressed by respondents regarding the affected groups identified in our impact assessment. While a majority of respondents agreed with our identification of affected groups, we received a number of suggested additions, which are set out below.
Courts, tribunals and the legal profession
We don’t anticipate that the new approach will lead to an increase in private litigation. However, it may lead to an increase in both section 166 applications to the First Tier Tribunal and applications for permission to bring judicial review claims against the Commissioner. Under the new approach, the ICO will continue to take appropriate steps to respond to complaints and inform complainants of the outcome. We don’t consider it likely that any significant number of complaints warranting regulatory attention will go unaddressed. Where errors do occur, our case review process will enable complainants to challenge our decisions. We therefore consider impacts on this group to be sufficiently accounted for as a subset of ’organisations’ as identified in the impact assessment.
Legal and advocacy organisations
We believe the revised approach will enhance regulatory certainty and empower individuals and organisations to resolve complaints independently. This benefit will extend to legal and advocacy organisations, supporting them in providing effective assistance to individuals. We therefore consider impacts on this group to be sufficiently accounted for as a subset of ’organisations’ as identified in the impact assessment.
‘Vulnerable’ individuals
In response to consultation feedback, we’re committed to improving transparency and clarity in our new approach. These changes will make the process more accessible and understandable for all individuals, including those who may be experiencing vulnerability. We therefore consider this group to be a subset of ‘members of the public who raise data protection complaints with the ICO’ as identified in the impact assessment.
Elected representatives
Under the new approach, we’ll prioritise serious complaints, ensuring they are triaged and addressed more swiftly. This will reduce the need to escalate to elected representatives, as complainants with significant concerns will experience quicker resolution. We therefore consider impacts on this group to be sufficiently accounted for as a subset of ’organisations’ as identified in the impact assessment.
Journalism and media organisations
Under the revised approach, low-risk complaints will be deprioritised to enable more effective handling of high-risk matters. Where a low-risk complaint develops into a more serious issue, the framework provides flexibility, ensuring an appropriate regulatory response. We believe that any costs to journalism or media organisations by deprioritising low-risk complaints will be outweighed by the benefits to wider society of our focus on high-risk cases. We therefore consider impacts on this group to be sufficiently accounted for as a subset of ’organisations’ as identified in the impact assessment.
Costs and benefits outlined in the impact assessment
We asked respondents if they agreed with the assessment of costs and benefits outlined in the impact assessment. Opinions were mixed, with around a third (35%, 26 respondents) strongly agreeing or agreeing (4% strongly agree, 31% agree. Just under half (46%, 34 respondents) strongly disagreeing or disagreeing (24% strongly disagree, 22% disagree), and the remainder (19%, 14 respondents) being unsure.3
Among the respondents who strongly disagreed or disagreed with our approach, the most common reasons were that the impact assessment:
- underplayed the impact the approach would have on organisational compliance (five respondents);
- sought to justify us evading our statutory responsibilities (six respondents); and
- failed to account for the costs that would be borne by organisations and the justice system as a result of the approach (five respondents).
Further costs and benefits to consider
We asked respondents if there were any other benefits, costs or both that they thought should be considered. This section summarises these responses.
Further benefits
We describe further benefits identified by respondents below.
Table 2: Additional benefits
| Benefits identified | Description |
|---|---|
| Reputational benefits to us (three respondents) | Increased transparency of our decision-making process for handling data protection complaints would lead to improved public confidence in us. |
| Time savings for organisations (one respondent) | The new approach will provide clarity to organisations, enabling consistent decision-making and saving time. |
| Deterrence effects of enforcement on organisational behaviour (one respondent) | If we deal more efficiently with high-risk cases, organisations are more likely to comply with data protection law to reduce financial or reputational risk. |
| Source: ICO analysis. | |
Further costs
We describe further costs identified by respondents below.
Table 3: Additional costs
| Costs identified | Description |
|---|---|
| Failure to investigate complaints may lead to a proliferation of non-compliance, harm or both, negatively impacting wider society (12 respondents) | Organisations may take advantage of reduced enforcement of data protection to deprioritise data protection compliance. Where we fail to act early to address an identified harm, this harm may become more serious and costly to us, organisations or wider society. |
| Increased burden on legal organisations (legal services, courts and tribunals), increased costs to people (10 respondents) | If we don’t take further action regarding someone’s complaint, they may turn to private litigation. This is costly to that person and organisations and may increase pressure on courts and tribunals. |
| Failure to investigate complaints may lead to reduced public confidence in us (eight respondents) | People may not see the benefit in reporting future data protection complaints if they are being stored ‘for information only’. |
| Organisations face costs to understand the new approach and increased complaint handling costs (six respondents) | Organisations would face one-off costs of understanding and updating process and procedures around data protection complaints. They may also experience an increase in the costs of handling data protection complaints as more complaints are made directly to them. |
| Non-financial costs to people (three respondents) | Pursuing cases may require repeated correspondence and legal knowledge, which costs time to the person who made the complaint. Pursuing complaints may also lead to emotional distress for that person. |
| Negative impact on the rights of ‘vulnerable individuals’ and their advocates (two respondents) | Children, and people with low digital literacy or a lack of knowledge of data protection law, may struggle to navigate the new processes. This may restrict their ability to exercise their data protection rights and lead to emotional stress. Advocates, such as next of kin, could experience added stress helping ‘vulnerable’ people to navigate the new approach. |
| Source: ICO analysis. | |
Costs and benefits to the respondents
We asked respondents whether they think the proposed data protection complaints handling approach will result in any additional costs or benefits for them or their organisations..
Just under a third of respondents (30%, 22 respondents) expected additional costs, 14% (10 respondents) expected additional benefits, and 23% (17 respondents) expected both. Around a fifth (19%, 14 respondents) expected neither additional costs nor benefits, and the remainder (14%, 11 respondents) did not know or were unsure.4
Benefits
Benefits to people or their organisations that respondents identified included:
- faster response times for complaints;
- ‘spillover benefits’ for public sector organisations where we publish recommendations following investigations;
- greater clarity around our complaint handling process, leading to better understanding of our decisions;
- increased public accountability of large organisations where we use complaints data to identify trends; and
- potential creation of new consultancy opportunities assisting us or organisations with low-risk complaints triage.
Costs
Costs to people that respondents identified included:
- a loss of confidence that their complaints would lead to regulatory action; and
- organisations exploiting their knowledge of the approach to downplay the legitimacy of people’s complaints.
Costs to organisations that respondents identified included:
- the costs associated with understanding the new approach;
- the need to carry out more internal reviews of complaints; and
- the reputational risk to organisations where complainants increasingly turn to litigation to have complaints addressed.
ICO response
We have considered the views expressed by respondents regarding the potential costs and benefits of the proposed approach. We note that almost half of the responses disagreed with our impact assessment and around two-thirds suggested costs or benefits. We have grouped our responses by theme below.
Compliance and public confidence
We don’t accept the view that the new approach will lead to widespread non-compliance or harm. As described in the impact assessment, we believe that by triaging cases, we will be able to allocate resources more effectively and efficiently, focusing on the most significant issues and providing more timely outcomes. This prioritisation will strengthen regulatory certainty and incentivise organisations to comply with the law, reducing financial and reputational risk. Furthermore, we believe that dealing with high-risk cases more efficiently will lead to a reduction in data protection harms and the societal costs associated with non-compliance.
Costs and benefits to organisations
We acknowledge that organisations will incur familiarisation costs in understanding the new approach, and these will be reflected in the cost-benefit analysis. However, these costs are likely to be offset by the benefits of greater regulatory certainty and the ability to resolve complaints internally. The new approach will only necessitate additional internal reviews where an organisation is non-compliant. In such cases, internal reviews are likely to reduce exposure to regulatory or legal action, representing a cost-saving measure.
We don’t anticipate an increase in litigation for compliant organisations. On the contrary, by enabling us to act more swiftly in cases of serious harm, the approach should reduce risks and prompt organisations to take timely corrective action.
We note that the additional benefits to organisations of clarity, regulatory certainty and timeliness are already reflected in our draft impact assessment.
Costs to individuals
We recognise that some people may experience dissatisfaction under the new approach, as noted in the original impact assessment. We believe this adequately captures the non-financial costs identified by respondents. To mitigate these concerns, we’re working to ensure that the complaints process remains transparent and user-friendly. These improvements will make the process clearer and more accessible for all complainants.
Burden on legal services
Concerns were raised about a potential increase in burden on legal organisations, courts and tribunals, as well as increased costs to individuals. We acknowledged these points in our assessment of costs to members of the public who raise data protection complaints with us.
However, we don’t anticipate that the new approach will lead to a significant increase in private litigation. By prioritising serious complaints and resolving them more effectively, the new approach should reduce escalation and associated legal costs.
Further evidence
We asked respondents if they had any further recommendations and evidence that should be considered. We have summarised their methodological recommendations in Table 4 and their further evidence in Table 5.
Table 4: Respondents’ methodological recommendations
| Recommendation | Description |
|---|---|
| Scenario modelling | This method simulates outcomes under different enforcement or non-enforcement pathways. |
| Proxy valuation | This involves assigning monetary values to intangible harms (eg trust erosion, data misuse) using market analogues or historical precedent. |
| Cost-of-inaction frameworks | Common in environmental and public health policy, these estimate the economic burden of regulatory inaction. |
| Behavioural economics | This method captures the downstream effects of perceived legitimacy or deterrence on compliance behaviour. Research shows that certainty of enforcement, not severity, determines compliance. By announcing low-risk complaints won’t be investigated, there may be an increase in violations. |
| Models by other UK regulators | Respondents recommended research into models adopted by other UK regulators that deal with high volumes of complaints – for example, FOS or the Office of Communications (Ofcom). |
| International comparisons | Other European DPAs handle similar or higher complaint volumes. The ICO should provide comparative evidence to explain its new approach to handling data protection complaints. |
| Child rights impact assessment | One respondent recommended undertaking a child rights impact assessment to uncover the impact of the changes on children.5 |
| Ex-post evaluation | One respondent recommended an independent evaluation after twelve months to measure whether the proposed approach delivers the forecast efficiencies without compromising access, fairness or accountability. |
| Source: ICO analysis. | |
Table 5: Summary of further evidence provided by respondents
| Recommendation | Description |
|---|---|
| Economic impact |
The Organisation for Economic Co-operation and Development’s report on data regulation uncovers the impacts of regulatory enforcement on global GDP.6 Financial services research shows data breaches cost UK businesses £2.48 billion annually. |
| Deterrence value of enforcement | The ICO’s fining guidance states that fines must be ‘effective, proportionate and dissuasive’ to promote compliance.7 GDPR enforcement analysis from ComplyDog shows that visible penalties (up to 4% of global turnover) have a demonstrable deterrent effect across sectors.8 |
| Public trust and democratic legitimacy | The ICO’s complaints guidance stresses that transparent complaint handling builds trust and accountability.9 The Equality and Human Rights Commission’s research on access to justice should be considered. |
| Complainant burden and opportunity cost | Sprintlaw’s guide to ICO complaints outlines the emotional and procedural toll on individuals navigating complaint resolution.10 The Local Government & Social Care Ombudsman’s proportionality framework emphasises the need to weigh complainant impact when allocating investigative resources.11 |
| Comparative benchmarking | The ICO and Germany’s Bundesbeauftragte f’r den Datenschutz und die Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information) signed a memorandum of understanding to share investigation data and pursue joint enforcement.12 Pinsent Masons’ comparative analysis shows Commission Nationale de l’Informatique et des Libert’s’ more aggressive enforcement posture, including public sanctions and emergency powers.13 |
| Case studies | The Severn Trent Water (STW) internal review (EIR840) shows how organisations deflect accountability by outsourcing responsibility to contractors, leaving complainants with no access to environmental or data protection information. The ICO’s framework must explicitly address this gap. The CPC Civils case shows how contractors may not only refuse subject access requests (SARs) but also intimidate complainants with threats of legal action. This creates a chilling effect that prevents individuals from exercising their information rights. Contractors such as CPC Civils and utilities such as STW have required individuals to submit excessive personal data (eg photos, photo ID, utility bills) under the guise of verifying identity for SARs. In one case, an NHS number was inappropriately shared between a local authority and a housing association. The housing association admitted unlawful processing (September 2025), while the local authority dismissed the identical complaint (August 2025). Under the new framework, such contradictory outcomes could result in neither being properly investigated. |
| Charities/advocacy groups | Research from charities working with people with disabilities, carers, domestic abuse survivors and people who are neurodivergent shows the systemic harm caused by unresolved data issues. |
| Source: ICO analysis. | |
ICO response
Methodological recommendations
We believe that, given the available data, we’ve undertaken an analysis of potential impacts that is proportionate to the decision at hand. Our assessment reflects the best evidence currently available and balances the need for thoroughness with proportionality. As per our framework, we’ll consider an appropriate method of assessing the ex-post impact of the approach. Where evidence is available and it is deemed proportionate to do so, this review will consider distributional analysis of the impact on specific groups, assessment of downstream effects on compliance and evaluation of the approach’s influence on data protection harms.
Further evidence
We recognise the costs associated with non-compliance with data protection law as highlighted by respondents. However, we believe that our revised approach will enable us to address the most serious cases more effectively, thereby upholding data protection law and mitigating the social and economic harms linked to non-compliance. By focusing resources on high-risk matters, the new approach will strengthen compliance and reduce harm. We consider that the approach will help build greater trust between us, organisations and wider society, reinforcing confidence in the regulatory framework.
1 A further seven respondents did not answer this question so are not included in this infographic.
2 The threshold is defined as part of the new approach.
3 A further seven respondents did not answer this question so are not included in this infographic.
4 A further seven respondents did not answer this question so are not included in this infographic.
5 https://www.unicef.org.uk/child-friendly-cities/wp-content/uploads/sites/3/2022/06/CRIA_June-2022.pdf
6 https://www.oecd.org/en/publications/economic-implications-of-data-regulation_aa285504-en.html
7 https://ico.org.uk/about-the-ico/our-information/policies-and-procedures/data-protection-fining-guidance/circumstances-in-which-the-commissioner-would-consider-it-appropriate-to-issue-a-penalty-notice/effectiveness-proportionality-and-dissuasiveness/
8 https://complydog.com/blog/gdpr-fines-penalties-2025-enforcement-guide
9 https://ico.org.uk/about-the-ico/what-we-do/complaints-guidance-for-organisations/
10 https://sprintlaw.co.uk/articles/handling-ico-complaints-a-stepbystep-business-guide/
11 https://www.lgo.org.uk/information-centre/information-for-organisations-we-investigate/councils/guidance-notes/guide-for-complaint-handlers-a-proportionate-approach-to-considering-complaints?chapter=8
12 https://www.activemind.uk/guides/ico-bfdi-cooperation/
13 https://www.pinsentmasons.com/out-law/analysis/data-protection-enforcement-in-uk-france-and-germany-explained