Skip to main content

How to deal with data protection complaints you receive as a small business

We’ve written this guide to help small businesses deal with complaints about how they’ve used people’s information. If you’re a small charity, small group or club, or small organisation, you’ll also find it useful.

Even with appropriate data protection policies in place, sometimes your staff, contractors, customers or others whose data you hold may be unhappy with how you’ve handled their personal information. Your response matters, because taking the right steps will help to protect your reputation as a business that cares about people’s information. This will also help you provide a better service to your customers.

This brief guide is to help you decide what to do if you receive a data protection complaint.

Step one – acknowledge receipt  

Respond as soon as possible to let the customer know you’ve received their data protection complaint and are looking into it. Your response should include information about what you’ll do at each stage. Let them know when they can expect further information from you and give them a point of contact.

For example, you could send them a link to your complaints procedure, if you have one.

Top tip! An appropriate complaints procedure may include information about how people can raise data protection complaints, how you’ll handle them and how long it will take.

 

If relevant, you should also check the complaint has come from an appropriate person. This could be if a third party has complained on behalf of the person whose data you’re processing. You should check they’re entitled to receive information about how personal data has been handled.

Step two – find out what’s gone wrong

You should deal with any data protection complaints as soon as possible. Start by gathering as much information as you can. You need to establish all the relevant facts, as thoroughly, fairly and accurately as possible. If necessary, ask your customer for more information. Make sure you check  the details of their complaint against the information you hold.

The better you understand the problem, the better position you’ll be in to resolve it.

Step three – give regular updates

If the investigation is likely to take some time, follow up on your initial response. Update them so they know you’re working to resolve the issue. Wherever possible, use plain language rather than jargon or legal terms.

Keeping people clearly informed helps to build trust and things will run more smoothly if everyone knows what to expect.

Step four – record your actions

Make a record of the date you received the data protection complaint and the date your response is due.

Keep details of any related conversations and copies of all relevant documents from start to finish, including the reasons for the decisions you’ve made and any action taken, or not taken. It will also provide evidence of what you’ve done, which the ICO or industry bodies may need in the future.

Example

For example, Izzie runs a small property management business. Her colleague, John, was dealing with a complaint from a tenant about recent installation of CCTV in the communal area of their apartment building. The tenant asks for an update. John is off sick but has left comprehensive records of the action he’s taken.

John’s record includes the initial assessment that was made before the CCTV was installed and the reasons why it was believed to be the best option. He has made a note of all the factors that were considered. Izzie is confident she can provide a full response for the tenant.

Step five – respond to the complaint

Having completed your investigation, let the person know the outcome. Clearly explain what you’ve done to resolve the data protection complaint and any actions you’ve taken as a result. Include enough information to help them understand how you’ve reached your conclusion. It can be useful to bullet point the complaint areas and respond to each point, providing appropriate evidence where possible.  

You should also let the complainant know they have the right to complain to the ICO.

Top tip! Keep your language clear, specific and straightforward. This will help to get your message across to your customer and avoid any possible misunderstandings. Provide contact details so your customer can ask further questions if necessary.

Step six – review the lessons learned

Once you’ve responded to the complainant, take the opportunity to review what happened. Consider if there’s anything you can learn or improve on to prevent future complaints. If you routinely see a lot of complaints in similar areas, an appropriate change can make all the difference.

Top tip! If someone tells you they’re raising a complaint with us, there’s no need for you to tell us. We’ll be in touch if we need more information.