Break free from OneTrust and get 12 months FREE
Get the offer
Back to main menu

Getting complaints right: Unpacking the ICO’s updated complaints handling guidance

Posted: September 30, 2025

The UK Information Commissioner’s Office (ICO) has published draft guidance on how organizations should handle data protection complaints.  

The guidance, which is currently under consultation until 19 October 2025, sets out clear expectations for complaint processes and emphasizes the importance of proper handling procedures. It derives from new complaint-handling requirements in the UK Data (Use and Access) Act. 

Here’s a look at what the ICO expects from organizations when it comes to data protection complaints. 

  1. What are data protection complaints? 
  2. The ICO’s expectations
  3. Setting up your complaints process
  4. Special considerations for children’s complaints
  5. Investigation and response requirements
  6. Documentation and continuous improvement

 

What are data protection complaints? 

Data protection complaints can come from anyone unhappy with how an organization has handled their personal data.  

The process for complaining about a controller or processor under the UK GDPR is separate from the process for exercising data protection rights. 

Common examples include: 

  • People who are dissatisfied with responses to subject access requests (SARs) or other rights requests 
  • Individuals impacted by data breaches, whether or not they’re reportable to the ICO 
  • People who are unhappy about how their personal data has been used, stored, or maintained 

As the ICO notes, having a robust complaints process “helps you to be accountable and can improve dialogue between you and the people who wish to make a complaint.” 

 

The ICO’s expectations 

The ICO’s guidance establishes four core legal requirements for handling data protection complaints: 

  1. Provide a complaints route: Organizations must give people a way to make data protection complaints directly to them. 
  2. Acknowledge receipt: Complaints must be acknowledged within 30 days of being received. 
  3. Investigate without delay: Organizations must take appropriate steps to respond to complaints, make necessary enquiries, and keep complainants informed. 
  4. Communicate outcomes: The results of complaint investigations must be communicated to complainants without undue delay. 

 

Setting up your complaints process 

The ICO recommends several approaches for receiving complaints: 

  • Online complaint forms (electronic or written) 
  • Phone-based complaint systems 
  • Online complaint portals 
  • Live chat functions with human escalation options 
  • In-person complaint processes where appropriate 

The guidance emphasizes the importance of having a written complaints procedure that’s published on your website or provided at the earliest opportunity. This procedure should use plain language and explain what complainants can expect from the complaints process. 

 

Special considerations for children’s complaints 

When dealing with complaints from or about children, organizations must ensure they use “plain, clear language that they can understand” at all stages of the process. 

Organizations must assess whether a child has the capacity to understand and exercise their rights. Complaints may also come from parents, other adults, or representatives acting on behalf of children. 

Additional requirements apply to organizations covered by the Age Appropriate Design Code (Children’s Code), including providing mechanisms to help children exercise their rights and procedures for swift action on urgent safeguarding issues. 

 

Investigation and response requirements 

When investigating complaints, the ICO expects organizations to: 

  • Gather comprehensive information by examining all relevant facts 
  • Speak to relevant staff members 
  • Compare complaint information withheld records 
  • Check compliance with internal terms, policies, and standards 

Organizations should ask complainants what outcome they’re seeking, which can help narrow the scope of the investigation and resolve issues quickly. 

The guidance emphasizes maintaining open dialogue: “Having an open dialogue can build trust and lead to people making fewer complaints to us, before you’ve had the opportunity to put things right.” 

 

Documentation and continuous improvement 

The ICO says that proper record-keeping is essential. Organizations should document: 

  • The date complaints were received 
  • Acknowledgement records 
  • Relevant conversations and documents 
  • Investigation outcomes 
  • Resulting actions 

After resolving complaints, organizations should review what happened to identify lessons learned and prevent future issues. 

 

The bigger picture 

This guidance represents the ICO’s continued focus on accountability and transparency in data protection. By establishing clear expectations for complaint handling, the ICO aims to improve the dialogue between organizations and individuals while reducing the number of complaints that escalate to the regulator. 

The ROI of privacy programs

Download guide
Data privacy metrics How to measure the ROI of privacy programs

You might also like to read:

ICO-profiling

Profiling for trust and safety: Meeting the ICO’s expectations

Profiling for trust and safety: Meeting the ICO’s expectations

The UK ICO has released new guidance regarding data protection obligations when using profiling tools for trust and safety purposes.

Read more
ICO

An opportunity to raise awareness: Key lessons from the ICO’s 2025 data controller report

An opportunity to raise awareness: Key lessons from the ICO’s 2025 data controller report

The ICO has published its Data Controller Report 2025 UK organizations' attitudes, awareness, and challenges when it comes to data protection.

Learn more