Mills & Reeve logo in purple text with a purple tagline: Achieve more. Together.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.

Client extranet portal

Staff

Mills & Reeve system for employees.

Staff Login
18 Feb 2026
3 minutes read

A new ICO complaints process: What organisations need to know

The Information Commissioner’s Office (“ICO”) has published a refreshed complaints process confirming how it will deal with data protection complaints.  

The complaints process operates within the wider reforms under the Data (Use and Access) Act 2025 (“DUAA”), including a new statutory right for individuals to complain directly to organisations before approaching the ICO.  We have previously summarised some of those changes at: A new statutory “right to complain” under data protection law | Mills & Reeve, and the ICO has recently published guidance for organisations on how to comply with these requirements.  As a reminder, the new duties under the DUAA require all organisations to have an internal data protection complaints process in place by 19 June 2026.

The ICO receives a significant number of data protection complaints, and demand has been rising year on year.  The new approach seeks to balance the statutory duties of the ICO to investigate data protection complaints “to the extent appropriate” with a sharper regulatory focus on the most serious data protection issues. 

The process makes clear that this will not be a “one size fits all” approach, but instead will be based on the circumstances of an individual complaint. Some complaints may result in simply being recorded without further investigation, whereas others will prompt detailed enquiries / a formal investigation by the ICO. 

Will a complaint be investigated under the new framework?

Individuals will usually be expected to raise their concerns with the relevant data controller organisation before approaching the ICO.  The framework process notes that many issues can be resolved this way without regulatory involvement. 

When a complaint is made to the ICO, the ICO will consider whether the issue is genuinely about data protection and whether the ICO is the right body to handle it.  Examples of complaints the ICO states in the complaints framework it will not investigate include:

  • complaints not about data protection;
  • customer service issues (unless data protection is involved);
  • matters that fall under another regulator’s remit. 

If a complaint is eligible, the ICO will then “triage” it to assess how much resource to allocate to the case. 

Key criteria include:

  • the harm(s) and impact(s) the issues(s) have caused (or are likely to cause) to data subjects; 
  • whether making further enquiries by the ICO is in the public interest (for example: does it raise a new or high profile data protection issue?); and
  • whether the ICO is already aware of the issue(s) complained about.

Following triage, some complaints may be recorded only rather than investigated. The ICO’s framework seeks to emphasise this does not mean the issue is dismissed; complaints of this nature will help the ICO identify trends, repeat concerns about organisations and emerging risks. The ICO also plans to monitor the number of complaints it receives about each organisation. Reaching certain thresholds may trigger further analysis or regulatory action; the ICO is expected to publish those thresholds once they are finalised. 

When will the ICO investigate?

If the ICO decides further action is needed, it will assign a case officer to reach an outcome. Possible outcomes include:

  • finding the organisation has complied with data protection law;
  • requiring additional steps to meet legal obligations;
  • requiring improvements to data handling more widely.

Either the complainant or the data controller may request a review of the ICO’s decision if they are dissatisfied with the outcome. 

What should organisations do now?

The new duties under DUAA and the ICO’s regulatory approach mean that organisations should review and update as needed their internal data protection complaint handling. Strong processes will often:

  • prevent unnecessary ICO escalation;
  • demonstrate accountability;
  • reduce regulatory risk;
  • support trust and transparency.

Now is the ideal time to review (or create) a data protection complaints procedure aligned with the DUAA and the ICO’s expectations.  If you would like support preparing or updating your procedures, please get in touch. 

 

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.