Data protection complaints

Copyright © 2026 LexisNexis

There is no obligation for organisations to deal with data protection complaints and the right of complaint under the UK GDPR is to the Information Commissioner’s Office (ICO). However, the Data (Use and Access) Act 2025 will impose complaint-handling obligations on commercial organisations. In the meantime, guidance and tools published by the ICO make it clear that the ICO will not usually deal with a data protection complaint unless it has first been raised with the organisation to which the complaint relates.

The right to complain

Data subjects have the right to lodge a complaint with the ICO, where they consider their personal data has been processed in a way that breaches the UK GDPR. They can also complain to the ICO via a not-for-profit body, organisation or association. The ICO is required to investigate complaints to the extent appropriate and inform the complainant of the progress and outcome of the investigation within a reasonable period.

There is no corresponding right to make a complaint to the data controller, ie to your organisation. Any complaints process you introduce is therefore voluntary. However, The Data (Use and Access) Act 2025

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Existing user? Sign-in TAKE A FREE TRIAL
Powered by Lexis+®
Latest Risk & Compliance News

Ten financial regulatory changes to prepare for in 2026

Law360, Expert analysis: 2025 brought the financially regulated community many gifts in the form of promised reforms. Michael Lewis, partner and head of the UK financial regulation team, Stephen Wilson, managing associate and Emma Radmore, legal director, all at Womble Bond Dickinson have provided their expert commentary on the upcoming changes for 2026.

Commission proposes cybersecurity package including revisions to Cybersecurity Act

The European Commission has proposed a new cybersecurity package aimed at addressing increasingly sophisticated cyber and hybrid threats facing the EU. According to the Commission, essential services and democratic institutions across the bloc continue to experience cyber incidents linked to both state and criminal actors.

Whistleblowing in the UK–Still a long road ahead

Corporate Crime analysis: Rahman Ravelli’s legal director, Dr. Angelika Hellweger and associate, Tatiana Novikova outline the UK’s approach to whistleblowing. They detail current UK legislation and other measures relating to whistleblowing, and the extent of the protection these provide, comparing this with what is available to whistleblowers in the United States. The scheme for rewarding whistleblowers that HM Revenue and Customs (HMRC) announced towards the end of 2025 is also explained and compared with the US protections for whistleblowers. They conclude their analysis by setting out what further reforms are required for the UK to cultivate a robust whistleblowing culture and to fully realise the benefits such a framework can deliver.

Legal Ombudsman publishes guidance on early resolution of complaints

The Legal Ombudsman (LeO) has published a Spotlight article explaining how it supports early resolution of legal service complaints. LeO reports that 49% of escalated complaints in 2024–25 were resolved by its Early Resolution team, which provides faster outcomes and avoids case fees. Early resolution depends on service providers issuing clear and timely final responses, yet 28% of complainants said they did not receive one. This lack of a final response reduces the chance of early resolution and increases the likelihood of a full investigation. LeO reviews each escalated complaint to decide whether early resolution is suitable, and it typically resolves cases through recognising a reasonable offer, guiding negotiations, or determining that the complaint has no reasonable prospects. LeO advises providers to respond within eight weeks, address every issue raised, explain whether the service was reasonable, set out any failings and their impact, and use its remedies guidance. Interim Joint Chief Executive, Steve Pearson, notes that final responses are the key factor enabling early resolution. LeO urges providers to follow its guidance to improve first‑tier resolution, reduce investigations and case fees, and strengthen consumer confidence.

View Risk & Compliance by content type :
News
Practice notes
Precedents
Q&As

Popular documents

Can a limited company make a subject access request? Can a director of a limited company ask for

Can a limited company make a subject access request? Can a director of a limited company ask for recordings of calls with us? If yes, what personal data must we provide?This Q&A draws on the Information Commissioner’s Office’s (ICO’s) guidance on business-to-business marketing, which may or may

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?What is an appeal?An appeal in insolvency proceedings is no different to an appeal in normal litigation. An appeal will be allowed only if the appeal court is satisfied that the decision of the lower court was 'wrong' or 'unjust because of a

Late payment penalties—inheritance tax

Late payment penalties—inheritance taxWhile interest often accrues on overdue tax, the late payment of certain taxes may also attract a penalty. For information on the interest accruing on overdue tax, see Practice Notes: IHT—payment deadlines on death—Interest on IHT and Interest on late paid

Contributory negligence in personal injury claims

Contributory negligence in personal injury claimsContributory negligence is a partial defence which can lead to a discount in damages.Other defences may also be relevant. See Practice Notes: Did the claimant consent to the risk of injury? and Was the claimant involved in an illegal activity?If a
Can a limited company make a subject access request? Can a director of a limited company ask for

Can a limited company make a subject access request? Can a director of a limited company ask for

Can a limited company make a subject access request? Can a director of a limited company ask for recordings of calls with us? If yes, what personal data must we provide?This Q&A draws on the Information Commissioner’s Office’s (ICO’s) guidance on business-to-business marketing, which may or may

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?What is an appeal?An appeal in insolvency proceedings is no different to an appeal in normal litigation. An appeal will be allowed only if the appeal court is satisfied that the decision of the lower court was 'wrong' or 'unjust because of a

Late payment penalties—inheritance tax

Late payment penalties—inheritance tax

Late payment penalties—inheritance taxWhile interest often accrues on overdue tax, the late payment of certain taxes may also attract a penalty. For information on the interest accruing on overdue tax, see Practice Notes: IHT—payment deadlines on death—Interest on IHT and Interest on late paid

Contributory negligence in personal injury claims

Contributory negligence in personal injury claims

Contributory negligence in personal injury claimsContributory negligence is a partial defence which can lead to a discount in damages.Other defences may also be relevant. See Practice Notes: Did the claimant consent to the risk of injury? and Was the claimant involved in an illegal activity?If a