Complaints guidance from ICO

Feb 24
3 min read

Introduction

Earlier this month the ICO published guidance on the complaints handling processes organisations will be required to put in place in June 2026, when section 103 Data (Use and Access) Act 2025 comes into force. They very much hope this new statutory requirement will reduce the number of complaints they receive.

Complaint parameters

The section introduces a new section 164A into the Data Protection Act 2018 which allows a data subject to make a complaint to the controller if they suspect an infringement of the UK GDPR in handling their personal data. It is important to bear in mind that complaints are not restricted to the handling of data subject access requests and may be made about any possible infringement of the UK GDPR.

The ICO confirms:

Data protection complaints can come from anyone who’s unhappy with how you’ve handled their personal information. For example, they may come from people who:

• are unhappy with your response to their subject access request (SAR), or other rights request;

• have been impacted by a data breach, regardless of whether it’s reportable to us; or

• are unhappy about the way you’ve used their personal information (eg where you’ve store it, how long you’ve kept it for, or its accuracy).

Statutory requirements

Under section 103 a controller must:

• facilitate the making of complaints by taking steps such as providing a complaint form which can be completed electronically or by other means

• acknowledge receipt of any complaint within 30 days

• take appropriate steps to respond to the complaint

• inform the complainant of the outcome

Appropriate steps to respond to the complaint are defined in section 103 (5) as:

(a)making enquiries into the subject matter of the complaint, to the extent appropriate, and

(b)informing the complainant about progress on the complaint.

Guidance on initial steps

The ICO recommends putting in place a formal written procedure for responding to complaints. It should be published on the organisation’s website and provided to individuals at the earliest opportunity. This will probably be in tandem with the privacy notice, which should incorporate a reference to the complaints’ procedure.

The procedure should clearly identify a way to make complaints. One suggestion is through an online complaints’ portal. It is important to remember that complaints made by alternative means remain valid and require investigation in the usual way.

When devising the process, organisations may wish to consider when proof of ID is required and when signed authorisation from someone who is making a request on behalf of another, such as a solicitor, is necessary. (The creation of a template for acknowledging complaints and requesting more information is advisable.)

The ICO highlights the new complaints requirement as an opportunity to check that an organisation’s record keeping system is up to date and personal information can be traced quickly and effectively.

They advise that staff should be trained in how to handle complaints.

Investigating

The obligation to investigate commences with receipt of the complaint (by whatever means), not after the 30-day acknowledgement letter is sent. In other words the investigation should begin without undue delay when the complaint is received.

The ICO confirms: You must make an appropriate level of enquiries and be able to justify why you handled a complaint in the way you did. There is no clarification of how to assess the appropriateness of enquiries, but organisations are advised to gather as much evidence as they need and, most importantly, check they have upheld their own terms, policies and standards. [Emphasis added]

The complainant should be kept closely informed of progress, including how long the investigation is likely to last.

Records

Organisations should keep a record of:

• the date they received the complaint

• their acknowledgement

• any relevant conversations and documents (which is extremely broad)

• the outcome of the complaint

• any actions taken as a result.

These records may be helpful if there are further complaints.

Questions to consider

1. Are your data protection policies put into practice?

3. How easy is it to retrieve both hard copy and electronic personal data across the organisation?