Skip to main content
Home

The overall approach

Contents

Our proposed approach to complaint handling

We asked respondents to what extent they agreed that ‘our proposed approach to complaint handling’ clearly explains how we’ll handle complaints.

The responses indicate a near-even split between respondents strongly agreeing or agreeing (47% overall, 8% strongly agree, 39% agree) and strongly disagreeing or disagreeing (47% overall, 24% strongly disagree, 23% disagree). A small number of respondents (6%) stated that they didn’t know or were unsure.

Source: ICO analysis. 74 Respondents.

For respondents who said they strongly disagreed, disagreed, or didn’t know or were unsure, there was a follow-up question to help identify specific areas where our approach may not have been sufficiently clear or detailed. It appears that respondents tended to disagree mainly because they wanted clarity or reassurance. We have summarised the responses to our follow-up question under the headings below.

Clarity and transparency of the approach

On the one hand, some respondents found the approach clear. They provided positive feedback on the content of the data protection complaint handling framework and the data protection scale of harm (see The proposed framework document, criteria and how we’ll assess harm), stating that it was operationally more transparent.

Other respondents, however, especially those who disagreed with the proposed approach, found certain areas unclear. They thought it would benefit from being more transparent with further detail about the complaint handling process. Multiple respondents noted that the approach hadn’t addressed various operational and other generic areas. Examples include:

  • how we will record information;
  • how we will investigate complaints;
  • how we will handle those complaints that we won’t investigate further;
  • further details about the information provided within the data protection complaint handling framework and data protection scale of harm;
  • information concerning response times and details of each stage of the complaint; and
  • how we will ensure compliance and protect complainants’ information rights.

We explain some of the above examples in more detail in the relevant sections below.

Terms used and definitions

Many respondents found the terms we used vague, highlighting what they saw as a lack of clear definitions for terms such as ‘data protection complaint’, ‘delay’, ‘harm or significant harm’, ‘systemic risk’, ‘investigate further’ and ‘public interest’. As a result, some respondents appeared confused about how we’d investigate or assess complaints.

Several respondents requested examples for different parts of the process, including examples of the complaints that we won’t investigate. Other respondents requested examples illustrating the threshold, triggers, scoring systems and distinction between serious and minor breaches.

ICO response

We strive to act with clarity and predictability to build confidence and trust. We are committed to ensuring that the information we provide about our approach is clear and accessible. Based on the feedback, we’ve revised our explanation of the approach to make it clearer and more detailed, adding more examples and context. We will provide details on our website of what complainants can expect from us when we handle their complaint.

Other feedback on the proposed approach

Respondents also gave their views on other aspects of the proposed approach.

Enforcement and outcomes

Respondents raised concerns about the perceived lack of enforcement mechanisms and clear consequences for non-compliance. Multiple respondents criticised our overall approach to enforcement. Others, particularly individuals, thought we should prioritise enforcement against organisations that don’t comply with the UK GDPR.

ICO response

We have noted the responses regarding our approach to enforcement. While this topic falls outside the scope of this consultation, we appreciate your engagement. For further information on our statutory enforcement powers, please refer to our forthcoming guidance on the data protection enforcement procedure. We recently consulted on this and will publish it on our website in due course.

Data protection rights and harm

Some respondents thought that the new approach would mean we wouldnt fulfil our legal duties or investigate complaints adequately. Respondents were concerned that the framework would narrow what we investigate, which could be perceived as a reduction in complaint handling. Respondents suggested we ensure that we handle complaints in line with what they consider to be our duty under data protection law to investigate all complaints and inform complainants of the progress and outcome within a reasonable period.

A few respondents referred to the Government’s obligation under recital 120 of the UK GDPR, arguing that we should have more resources to handle complaints. Several respondents felt that we should redirect some staff to focus on complaints.

Some respondents supported the proposed approach and thought it rightly included triage and proportionality. Others said that the proposed approach was an improvement on the current process. They thought it provided regulatory consistency, as it was a continuation of the existing regulatory methodology.

These respondents agreed it was appropriate to prioritise more serious cases and focus on issues that would have higher impacts or that present significant risk or harm to the complainant. Some thought it could help reduce the operational burden on organisations’ complaints teams.

Others felt that complaint handling would become a triage exercise rather than a guarantee that information rights will be upheld. A few respondents were concerned that our approach would lead to many complaints not being investigated and instead being recorded ‘for information purposes’. Some respondents highlighted their concerns about people they described as ‘vulnerable’, especially children, as they felt such people would be disadvantaged or even automatically excluded.

ICO response

Although we’re receiving an increasing number of complaints, we’re committed to ensuring we handle them in line with our legal obligations. We will investigate all complaints to the extent appropriate and inform complainants of the outcome. We will decide whether we need to make more detailed enquiries based on substantive matters, such as whether the data protection issue has caused a high level of harm or whether a more detailed investigation would be in the public interest. One of our goals is to support organisations to comply with their data protection obligations as part of our complaint handling work.

Our approach will be proportionate and flexible, and we recognise that we must deploy resources effectively. This means that, while we will assess all complaints against our published criteria, we may prioritise those involving the highest levels of harm or those where we need to intervene most.

The more serious the harm, the more likely it is that we will give a complaint substantive attention, but we can’t guarantee we will investigate every case in detail. Where resources are constrained, such as during periods of high volume, we may need to place even some high-harm cases in queues or triage them further. This approach is consistent with recital 141 of the UK GDPR, which makes clear that we have broad discretion to decide whether to conduct a further investigation and, if so, to what extent. We will avoid blanket policies that exclude entire categories of complaints and will remain transparent about the factors we consider when allocating resources.

While consultation responses referred to recital 120 of the UK GPDR and suggested that we should have more resources to investigate complaints, issues such as funding are outside the scope of the consultation. We remain committed, however, to maximising the use of our resources to meet our obligations under the UK GDPR.

Risks

Respondents identified various risks, including:

  • missing serious complaints;
  • failing people who’ve experienced harm;
  • misclassifying or processing complaints incorrectly, including due to insufficient guidance;
  • preventing people from making complaints, especially those who need support or people respondents referred to as ‘vulnerable’; and
  • being unable to carry out our responsibilities to monitor and enforce data protection law.

Other feedback

Some respondents suggested that the proposed framework doesn’t sufficiently reassure complainants, as we don’t explain how it would allow people to obtain justice or ensure organisations comply with data protection laws. Some respondents were concerned that the proposed framework was too flexible, which might cause us to be inconsistent, and that we might not have sufficient oversight of complaints. Respondents questioned how case officers would make decisions about complaints fairly and consistently.

Respondents criticised our Prioritise, Act, Collaborate, Engage strategy known as PACE, stating that its focus was on strategic impact rather than individual redress.

There was support for resolving complaints at the earliest opportunity. Respondents felt that, where an organisation was responsible for personal data, they should also be responsible for resolving complaints in the first instance. Some respondents thought the proposed approach would encourage organisations to resolve complaints.

ICO response

We acknowledge the concerns raised about potential risks associated with implementing our proposed framework and take them seriously.

We have a review process, and people can request a case review if they disagree with the complaint outcome. We will also review the framework and evaluate its overall performance regularly. The Equality Impact Assessment (EqIA) shows how we’ll address risks for people with protected characteristics.

People can directly ask an organisation to put things right if there has been an infringement of their data protection rights.

People also have a statutory right to apply to the court to enforce their data protection rights if they have been infringed. The court has the power to make a compliance order and, in some circumstances, award compensation. This right gives people more power to enforce compliance than in many other areas of regulation.

The framework is designed to allow us to be flexible when considering people’s individual circumstances across a wide range of complaints. We will train our case officers to follow our new processes and procedures when handling complaints.

Suggestions for our proposed approach to complaint handling

We asked respondents if there was anything else they thought we should include. They suggested the following.

Harm and investigation triggers

A significant theme was that we need to make it clearer when we’d investigate a complaint further, particularly those involving people whom respondents described as ‘vulnerable’, children’s privacy and harm.

ICO response

We consider that our revised framework indicates when we’re likely to make more detailed enquiries in relation to a complaint. We recognise how important it is to identify and focus on data protection issues affecting people who need extra support to protect themselves, including children. We will ensure our procedures and training cover this.

Process improvements and operational clarity

Respondents suggested practical ways of making the complaint handling process clearer and more effective, including:

  • assigning reference numbers to complaints;
  • implementing an online portal for submitting documents;
  • providing clear guidance on how to escalate issues when necessary, such as:
    • how to request a case review, and
    • details of alternative routes, with appropriate signposting;
  • giving guidance on how we’ll manage complaints after the initial triage stage; and
  • specifying whether we’ll have a different process for handling complaints deemed ‘serious’.

Respondents also requested more information on how we’ll investigate more thoroughly under the proposed framework than we do currently. Others requested we investigate all complaints, and, if this isn’t possible, they recommended introducing additional resources, including more staff, to enable us to do so.

Respondents from organisations said it was unclear when they should direct customers to a sectoral body such as the Financial Ombudsman Service (FOS) versus us. They thought it would be helpful to agree on this.

Respondents requested information on whether we’d implement any automated or technological solutions in the future.

ICO response

We welcome the practical suggestions made. We have already implemented some of these suggestions and are working on others. We will provide more information on our website to reflect our new approach in due course, including greater detail on our complaint handling process.

We will continue to investigate all complaints to the extent appropriate and inform complainants of the outcome.

We already publish information about requesting a case review and an additional support directory listing organisations where people can find assistance.

We also publish complaints guidance for organisations.

We may also explore digital solutions, including AI tools, in the future to support our framework. We would consider these carefully to ensure they are effective and comply with data protection law.

Organisational engagement and feedback

Respondents emphasised how important it was to engage with organisations more fully during the complaint process. This included informing them if we receive a complaint and notifying them before making decisions. Some respondents suggested we provide a portal for organisations to access complaints. Respondents requested we more clearly explain the terms we use when talking about making decisions and thought we should identify any vexatious or coordinated complaints. Respondents requested information about the data that we’ll record about organisations following complaints about them.

Other respondents requested:

  • we publish statistics, such as how many complaints we do or don’t investigate further under the proposed framework; and
  • we provide decision trees and scoring matrices, as they considered these would lead to more consistent assessments.

Respondents suggested introducing compulsory reporting for all registered data controllers during the time they receive complaints, such as the periodic reports that the Financial Conduct Authority (FCA) requires. Others suggested publishing a comparative enforcement dashboard showing how our actions align with those of the European Data Protection Authorities (DPAs).

ICO response

We engage with organisations during the complaint process when we need to request further information. If we believe there is an infringement of data protection law, we may provide advice to enable the organisation to put the situation right and improve its practices.

Under the Data (Use and Access) Act 2025 (DUAA), organisations will be required to:

  • have a complaint process;
  • take appropriate steps to respond to complaints; and
  • tell people the outcome.

We encourage people to complain to the organisation to allow them the chance to put things right and to prevent complaints coming to us when they can be resolved more quickly and directly by the organisation in question.

Our upcoming guidance for organisations handling data protection complaints will make the new requirements clear and inform organisations of what they must, should, and could do to comply. For further information, please refer to our complaints guidance for organisations.