Guides

Handling data-protection complaints: the process the ICO expects

24 June 2026 4 min read GuardianStack
On this page

Short answer: a data-protection complaint is not just a message in your inbox — it’s a formal signal that the ICO expects you to be able to handle with a proper process, not improvise. For a small business the practical problem isn’t usually bad intent; it’s that there’s no process at all, so a complaint becomes a panic instead of a routine.

A complaint is more than an awkward email

When a customer says “I’m not happy with how you’ve handled my data” — or asks you to stop marketing to them, or questions why you hold something — that’s a data-protection complaint, whether or not they use the word. It’s the person exercising rights that UK GDPR gives them, and it comes with expectations about how you respond.

Treating it as a one-off customer-service message is the mistake. A complaint is a documented event that may later be reviewed — by the person, by a B2B partner, or by the regulator if it escalates. How you respond, and whether you can show how you responded, is the point.

What the ICO expects you to have

The ICO’s consistent expectation is that organisations handling personal data can deal with complaints properly — which in practice means having a process, not making it up each time. A workable process for a small business covers:

  • A route in. A clear, findable way for someone to raise a data-protection concern (often a named contact or a privacy email address in your notice).
  • Acknowledgement and ownership. Someone is responsible for it; the person knows it’s been received.
  • A timely, reasoned response. You look into it, act where needed, and explain your position — within a sensible timeframe, in line with the deadlines that attach to data rights.
  • A record. What was raised, what you did, and when. The evidence is the compliance.
  • An escalation path. If the person remains unhappy, they can complain to the ICO — and you’re better placed if you can show you handled it properly.

None of this requires a legal department. It requires deciding in advance who does what, so that when a complaint arrives you follow a path instead of freezing.

Why the evidence trail is the real deliverable

Accountability — UK GDPR Article 5(2) — means it isn’t enough to do the right thing; you must be able to show it. A complaint is where that principle gets tested. Two businesses can respond identically, but the one that kept a clear record of what was raised, what it decided, and when it acted is in a completely different position if the matter escalates.

This is the quiet through-line of good compliance: the difference between “we think we handled it” and “here is exactly how we handled it, with dates.” The first is a hope; the second is evidence.

How to get ready

Being ready for complaints is mostly about the basics being in place before you need them: a clear contact route in your privacy notice, a named owner, and the habit of recording what happened. It sits alongside the wider accountability picture — cited findings, an audit trail, a data map you can actually produce.

GuardianStack is built around that evidence-first idea: findings are cited to the rule behind them, and the workspace keeps an audit trail of what was checked and approved, so “show your working” is the default rather than a scramble. The free public check is the honest starting point — about 30 seconds, read-only.

The bottom line

A data-protection complaint is a process, not a surprise. Decide the route in, the owner, the response, and the record before one arrives — and keep the evidence — and you turn a stressful escalation into something routine and defensible.

Sources

The primary sources behind this guide — check them yourself:

Frequently asked questions

Does a small business need a formal complaints process for data protection?

Yes, in practice. The ICO expects organisations that handle personal data to be able to deal with data-protection complaints properly, which means having a clear route in, an owner, a timely reasoned response, and a record — even for a small business. It doesn't need to be elaborate, but it does need to exist before a complaint arrives.

What counts as a data-protection complaint?

Any time someone raises a concern about how you handle their personal data — objecting to marketing, questioning why you hold data, asking you to correct or delete it, or saying they're unhappy with your handling. They don't need to use the word "complaint" for it to be one.

Why does keeping records of complaints matter?

Because of the accountability principle (UK GDPR Article 5(2)): you must be able to demonstrate compliance, not just claim it. If a complaint escalates to the ICO, a clear record of what was raised, what you decided, and when you acted is what protects you.

See where your store actually stands

Run a free outside-in compliance check of your website — no login required, results in about 30 seconds.

Run the free website check
← Back to all articles