Skip to main content
Home

The proposed ‘threshold approach’

Contents

Over half the respondents (54%) supported the way we proposed to use the information we collect from complaints and thought it would:

  • help organisations to understand the key data protection issues in complaints and how the organisations can improve;
  • give a broader idea of how well an organisation is following data protection law; and
  • provide useful information about trends.

Others, one third (32%), disagreed and were concerned about:

  • lack of context;
  • incomplete information for complaints we didn’t investigate further; and
  • potential increased burden on organisations, particularly if we don’t contact them about complaints until they reach the threshold.

Some respondents thought the thresholds shouldn’t be fixed and would benefit from drawing on insights over time.

Transparency

Several respondents would like to know more about the threshold-based approach, including:

  • what the threshold is and whether it varies for different sizes and types of organisations or sectors;
  • how we’ll apply it in practice;
  • how we’ll notify organisations when they meet the threshold;
  • what details we’ll share with them;
  • what organisations will need to do if they meet the threshold and what the timescales will be; and
  • how the thresholds will result in active regulation.

These respondents asked if we’d publish details or examples of the thresholds and any changes to them.

Several organisations requested clarity about the new reporting mechanisms for complaints that are recorded for information. They enquired whether they would have to provide us with data about the complaints they’re handling and what the format and frequency of reporting would be. They raised concerns about how we would contextualise complaint data and whether participation would be mandatory or voluntary.

Fairness and proportionality

A few respondents thought we should consider an organisation’s size and nature when using the information from complaints and setting thresholds. They thought treating all organisations the same could result in a greater burden on smaller organisations that may have fewer resources.

Some respondents suggested looking at:

  • how much personal information organisations use;
  • whether personal information is sensitive or special category data;
  • upheld complaints versus total complaints;
  • the number of unique complainants; and
  • broader information.

They thought that the threshold should factor in the level of harm as well as the number of complaints received. They considered that increases in low-risk complaints should cause organisations to hit the threshold less quickly than increases in high-risk complaints. Quality and severity should matter more than quantity.

Potential effects of using thresholds

Some respondents were concerned that we might miss organisations with large numbers of complaints because volumes are constantly just below the threshold or that smaller organisations may never reach the threshold. A few respondents thought organisations might actively manage their complaints so they remain just below the threshold.

Some respondents thought this approach could lead to organisations reaching the threshold when complaints aren’t justified, possibly because of people deliberately making complaints to achieve this.

Using information from complaints for wider action

Some respondents were concerned that we wouldn’t use the information from complaints recorded for information purposes to take significant action. Many respondents supported using this information to identify issues and trends, suggesting wide-ranging examples of what we could look at. Respondents wanted us to actively use this information to:

  • help protect people’s information rights;
  • educate organisations with targeted guidance and case studies;
  • produce pre-emptive guidance; and
  • take regulatory and enforcement action.

They suggested publishing information about complaints, trends, actions taken and best practices that organisations could use to monitor and improve their own performance. People could also use this information to help them decide whether to entrust their personal information to an organisation and to hold them to account.

Feedback to complainants and organisations

Several respondents said we should give feedback to people making complaints and to organisations, suggesting different ways of doing this. They thought people would want to know if and how their complaint had contributed to wider action, including enforcement action, so they wouldn’t feel ignored or so they could see that making the complaint had value. They thought organisations would want regular, timely information making them aware of complaints about them and related data protection issues so they can improve – and make it less likely that people need to make data protection complaints in the future.

Some respondents thought we should let organisations know when they’re approaching the threshold so they can be proactive and engage early on.

Accountability

Some respondents said they would like us to periodically evaluate how using the information from complaints contributes to improved outcomes. They suggested publishing regular summaries of trends and actions we take and using key performance indicators.

ICO response

We will first implement our new approach to handling data protection complaints, including triage, and later in 2026, we’ll introduce our processes for using the information we gather from complaints. We will publish a new page on our website in due course, explaining how this will work.

The purpose of the threshold is to draw out useful trends, themes and insights from the bulk of complaints received so we can intervene at an early stage, before further harm occurs, when organisations are demonstrating patterns of non-compliance. It is important to understand that the threshold isn’t itself a means of handling complaints, and we’ll continue to investigate each complaint to the appropriate extent.

This work will feed directly into our wider regulatory work. The information we collect from complaints helps us to identify issues that may need more detailed investigation. When we detect patterns or serious concerns emerging in this way, we can escalate them for further consideration.

We will share the information we gather from these complaints with relevant teams within the ICO, providing them with a clear, overall view of all the complaints we receive. This will support us to prioritise and make decisions effectively across our regulatory functions. We expect that we may receive a substantial number of complaints about some organisations that will mean they reach the threshold. This doesn’t necessarily mean, however, that they haven’t complied with data protection law. The threshold will not act as an automatic trigger for regulatory action.

Instead, where an organisation has reached the threshold, we’ll analyse the available information we have about them to determine whether to intervene. This includes, but isn’t limited to, data held within the ICO and information in complaints we’ve received about them. This is so we’re able to determine why the organisation has hit the threshold.

If we believe that there is little evidence of systemic non-compliance within that organisation, we won’t act further. We will only contact the organisation if we believe that they will benefit if we intervene. We don’t intend to contact organisations automatically when they meet the threshold, as we don’t want to overburden them if we don’t believe there are underlying issues that warrant further steps being taken. If organisations wish to know how many complaints we’ve received about them, they can obtain this from the complaints data sets published on our website.

We won’t necessarily reopen individual cases if organisations have hit the threshold. We will instead contact organisations to discuss high-level trends or recurring issues within the complaints we’ve received. We will only look to take further regulatory action if organisations don’t engage with us or if we feel the steps they’ve taken to address the issues are inadequate. If we consider the issue to be sufficiently serious, we may take further regulatory action even when organisations have engaged with us.

We are planning to use the same threshold for every organisation regardless of size and sector. This is because the thresholds will indicate where there may be problems with compliance rather than show conclusive proof of non-compliance. For this reason, we won’t publish lists of organisations that have hit the threshold. We are exploring various options to ensure that the threshold doesn’t overlook smaller organisations that have fewer complaints raised about them.

This is a new approach, and we’ll continue to monitor it after we’ve implemented it. We are hoping to achieve greater insights into which sectors people are complaining about and to feed this into our wider work. We will also be able to gather feedback from case officers who are using the new process and from organisations we’ve engaged with. We will continue to adapt the approach based on these findings.

We recognise that organisations want more clarity about the reporting process and whether it will be mandatory or voluntary. At present, the law doesn’t require organisations to report the number of complaints to us. However, the government has introduced new powers under DUAA, meaning that, in future, reporting could become mandatory if new regulations are brought in. We will keep organisations updated if there are any changes to these requirements.