The ICO is changing how it handles data protection complaints, and it wants to hear from you. With complaint volumes rising to over 42,000 in 2024/25, the regulator is consulting on a new framework that will focus resources on cases with the most significant impact. The consultation closes on 31 October 2025, giving organisations and individuals a narrow window to influence how data protection complaints will be handled in the future.
Why the ICO Is Changing Its Complaints Process
The numbers tell the story. Data protection complaints to the ICO increased from 39,721 in 2023/24 to 42,881 in 2024/25. This growth is putting pressure on the regulator’s resources and, in the ICO’s own words, “impacting our ability to respond quickly and effectively.”
The ICO wants to transform from a regulator that handles individual complaints one by one into what it calls a “strategic regulator.” This means using complaint data to identify trends, spot systemic issues, and drive improvements across entire sectors rather than just resolving individual cases.
This approach makes sense when you consider the scale. With over 40,000 complaints annually and limited resources, the ICO cannot investigate every case in detail. And so a new framework is required to help deliver on the responsibilities of the organisation.
What’s Changing Under the New Framework
The consultation proposes a new approach to prioritising complaints based on their potential impact and significance. Not all complaints will receive the same level of attention or investigation.
The ICO will focus its resources on cases that can drive broader change in data protection practices. This might include complaints that reveal systemic failures, affect large numbers of people, involve new technologies or practices, or raise novel legal questions.
To support this shift, the ICO is developing new reporting mechanisms to monitor complaint volumes and identify patterns. This data-driven approach should help the regulator spot emerging issues before they become widespread problems.
The ICO’s New Role
Under the proposed framework, the ICO moves towards strategic oversight rather than individual case resolution. Think of it as shifting from being the first port of call to being the escalation point and systemic issue investigator.
The regulator will use complaint data to identify trends across sectors, spot new risks, and develop guidance that prevents problems rather than just fixing them after they occur.
This means individuals will be expected to complain to organisations first, using the internal complaint processes that all organisations must have by June 2026. The ICO’s role becomes monitoring whether these internal processes work and intervening when they don’t.
What the Data (Use and Access) Act Means for Complaints
The Data (Use and Access) Act 2025 introduces a new requirement that fundamentally changes the complaints landscape. By June 2026, every organisation must have a formal process for handling data protection complaints.
This isn’t optional. If someone is unhappy with how you’ve handled their personal data, they must have a clear way to complain to you, and you must have a documented process for handling that complaint.
The Act encourages organisations to resolve most complaints internally. When individuals complain to the ICO, they will typically be asked to use your internal process first. However, individuals still retain the right to complain directly to the ICO – internal complaints are not a mandatory legal prerequisite like employment tribunal grievances.
For the ICO, this means fewer complaints to handle directly. But it also means a new responsibility: monitoring whether organisations’ internal complaint processes actually work. If your complaint handling is inadequate, that itself could become a compliance issue.
The Consultation: What the ICO Wants to Know
The consultation asks for views on several key areas. Understanding what the ICO is asking will help you provide useful feedback.
First, they want views on the proposed approach itself. Do you think prioritising complaints based on impact makes sense? Are there risks or unintended consequences the ICO hasn’t considered?
Second, there’s an impact assessment. How will these changes affect organisations and individuals? Will some groups be disproportionately affected? Are there hidden costs or burdens?
Third, the ICO wants feedback on the draft framework document. Is it clear? Does it provide enough guidance on how decisions will be made? Are the prioritisation criteria transparent and fair?
Finally, they’re asking about practical implementation concerns. What challenges do you foresee? What support or guidance will organisations need?
Key Questions to Consider
When preparing your response, consider these questions:
Will the new prioritisation criteria be fair and transparent? How will the ICO decide which complaints are “significant” enough to investigate? What happens to complaints that are important to individuals but don’t meet the strategic priority criteria?
How will individuals know when to escalate to the ICO? If organisations are handling complaints internally first, there needs to be clarity about when escalation is appropriate. Without clear guidance, people might escalate too early (overwhelming the ICO) or too late (accepting inadequate responses from organisations).
What support will organisations need to handle complaints effectively? Many small and medium-sized organisations have never had formal complaint processes. They’ll need practical guidance, templates, and training.
Could this reduce access to regulatory intervention for individuals? If the ICO focuses only on strategic priorities, will individuals with legitimate but “low-impact” complaints lose access to regulatory support?
How to Participate in the Consultation
The consultation closes on 31 October 2025 at 23:59. This is a hard deadline—responses received after this time won’t be considered.
You can respond via the ICO’s Citizen Space survey at: https://citizen-space.ico.org.uk/customer-services/dp-complaints-proposal/
The consultation includes several documents you should read:
- Draft changes to the ICO’s complaint handling approach
- Proposed framework document
- Impact assessment
You don’t need to answer every question. If you have specific expertise or experience with particular aspects, focus your response on those areas. The ICO values quality feedback over comprehensive responses.
Who Should Respond
This consultation matters to several groups:
Organisations that handle data protection complaints should respond because you’ll need to implement internal processes by June 2026. Your feedback can help shape the ICO’s expectations and guidance.
Data protection officers and compliance teams will be responsible for designing and running these internal complaint processes. You need to understand what the ICO will be looking for.
Individuals who have made complaints to the ICO have direct experience of the current system. Your insights into what works and what doesn’t are valuable.
Consumer advocacy groups and legal professionals can provide perspectives on access to justice, fairness, and the potential impact on vulnerable groups.
What This Means for Your Organisation
Regardless of the consultation outcome, one thing is certain: by June 2026, you must have a formal process for handling data protection complaints.
Now is the time to prepare. Don’t wait until the deadline approaches and then scramble to put something together. A well-designed complaint process can actually benefit your organisation by identifying issues early, improving customer relationships, and demonstrating your commitment to data protection.
Start by documenting how you currently handle complaints (if you have any informal process). Many organisations already respond to concerns about data protection—you might just need to formalise what you’re already doing.
Identify gaps in your current approach. Do you acknowledge complaints promptly? Do you investigate thoroughly? Do you provide clear responses? Do you keep records of complaints and resolutions?
Allocate resources for complaint management. Someone needs to be responsible for handling complaints, investigating issues, and coordinating responses. For smaller organisations, this might be part of your data protection officer’s role. Larger organisations might need a dedicated team.
Plan staff training and documentation. Everyone who handles personal data should understand how to recognise and respond to data protection complaints. You’ll need clear procedures, templates for responses, and guidance on escalation.
Getting Ready for the New Framework
If you don’t already have a complaint handling process, here’s where to start:
Review what others are doing. The ICO will publish guidance on complaint handling requirements. When it’s available, use it as a foundation for your process.
Create a simple workflow. Map out the journey from complaint receipt to resolution. Who receives complaints? How are they logged? Who investigates? How are decisions made? How are complainants kept informed?
Document everything. You need records showing how you handle complaints. This demonstrates compliance and helps you identify patterns or recurring issues.
Test your process. Once you’ve designed it, walk through some hypothetical scenarios. Does it work? Are there bottlenecks or unclear steps?
Make it accessible. People need to know how to complain. Include information about your complaint process in privacy notices, on your website, and in communications about data protection.
Conclusion
The ICO’s consultation represents a significant shift in how data protection complaints will be handled in the UK. The move towards strategic regulation makes sense given the volume of complaints, but it raises important questions about fairness, access, and accountability.
With the deadline of 31 October 2025 approaching, now is the time to share your views and concerns. Whether you’re an organisation that will need to implement internal complaint processes or an individual who has experienced the current system, your feedback can help shape a framework that balances regulatory efficiency with access to justice.
This isn’t just about how the ICO works—it’s about how every organisation will need to handle data protection complaints from June 2026. The decisions made now will affect data protection practice for years to come.
Don’t miss this opportunity to influence the outcome. Read the consultation documents, consider the questions, and submit your response before 31 October 2025.
