How to Complain to the ICO: A UK Guide to Data Protection Complaints
ICOGDPRprivacy complaintsdata protection

How to Complain to the ICO: A UK Guide to Data Protection Complaints

CComplains.uk Editorial Team
2026-06-09
11 min read

A practical UK guide to making an ICO data protection complaint, with evidence tips, timelines, and a simple tracker to revisit.

If you need to complain to the Information Commissioner’s Office, the hardest part is usually not the form itself but working out whether your issue is ready for the regulator, what evidence matters, and what you should be tracking while you wait. This guide explains how to take a UK data protection complaint from your first complaint to the organisation through to an ICO referral, with a practical checklist you can revisit monthly or quarterly if your issue is ongoing.

Overview

The ICO is the UK regulator for data protection and privacy matters. In plain terms, it deals with concerns about how organisations handle personal data, whether they have responded properly to data rights requests, and whether their privacy practices appear to breach data protection law.

For most people, an ICO complaint is not the first step. Before you complain to the regulator, it is usually sensible to complain to the organisation itself and give it a fair chance to respond. That matters for two reasons. First, many problems are resolved internally once the issue reaches a data protection team, complaints team, or senior manager. Second, if you later complain to the ICO, it helps if you can show that you raised the issue clearly, gave the organisation enough detail to investigate, and kept a record of what happened next.

This article is written as a tracker because privacy disputes often develop over time. You might be waiting for a subject access request response, chasing correction of inaccurate data, objecting to marketing, or trying to stop data being shared. In each of those situations, the practical question is not only how to complain to the ICO in the UK, but also what to monitor from week to week.

Common reasons people make a data protection complaint include:

  • an organisation ignoring or mishandling a subject access request;
  • personal data being inaccurate and not corrected;
  • continued marketing after an opt-out or objection;
  • data being shared without a clear justification;
  • poor security leading to disclosure of personal information;
  • privacy notices being unclear or misleading;
  • refusal to delete data without a proper explanation;
  • use of personal data that feels excessive, irrelevant, or unfair.

Not every poor experience is an ICO matter. The regulator is concerned with data protection compliance, not every customer service failure. If the core issue is a refund, poor service, discrimination, tenancy repair problem, or banking dispute, you may need a different route alongside or instead of a privacy complaint. For related complaint pathways, it can help to compare specialist guides on areas such as bank complaints and Financial Ombudsman escalation, broadband and mobile complaints, or landlord complaints in the UK.

Before escalating, try to be specific about the legal problem in ordinary language. A clear complaint often follows this structure:

  1. What personal data is involved.
  2. What the organisation did or failed to do.
  3. When it happened.
  4. What you asked them to do.
  5. What response, if any, you received.
  6. What outcome you now want.

If your issue also involves access to information about you, review a dedicated Subject Access Request UK guide before escalating. A poorly framed rights request can complicate a later GDPR complaint in the UK, so it is worth checking the basics early.

What to track

If your complaint may end up with the ICO, keep a running file from the start. This does not need to be elaborate. A dated note, folder of screenshots, and copies of emails are often enough. What matters is that you can show the timeline without guessing.

1. The exact issue you are complaining about

Write a one-sentence summary that would still make sense if you read it again three months later. For example: “The company continues to send marketing emails after I opted out,” or “My former landlord disclosed my personal data to third parties without explaining why.” If your issue relates to housing, you may also find it useful to read broader complaint routes on council housing complaints or tenancy deposit disputes, especially where privacy issues overlap with tenancy records.

2. Dates and response deadlines

Track the date you first complained, any acknowledgement date, any deadline the organisation gave, and any follow-up dates. Even if you are not relying on a strict legal deadline, timing helps the ICO understand whether the organisation had a reasonable chance to deal with the matter.

Create a simple table with:

  • date of your initial complaint;
  • date the organisation replied;
  • date you chased;
  • date you escalated internally;
  • date you submitted your ICO complaint;
  • date of any further ICO communication.

3. The organisation’s explanation

Do not just keep the parts you disagree with. Preserve the whole explanation. The ICO will usually want to see what the organisation said it was doing, why it believed that was lawful, and whether it offered any remedy. If the organisation changed its explanation over time, note that clearly.

4. Evidence of the personal data problem

The best evidence depends on the issue, but common examples include:

  • screenshots of unwanted marketing messages;
  • copies of letters or emails containing incorrect personal data;
  • account screenshots showing inaccurate details;
  • privacy notices, consent screens, or web forms;
  • evidence of opt-out requests or objections;
  • proof that data was sent to the wrong person;
  • copies of identity documents requested by the organisation;
  • reference numbers for complaints or rights requests.

Keep your evidence organised by date. If you later complain to the ICO in the UK, a short chronology with numbered attachments is usually more useful than a large folder of unlabelled files.

5. The remedy you want

This is often overlooked. Be clear whether you want the organisation to stop processing, correct data, erase data, respond to a request, explain its lawful basis, restrict sharing, or improve security practices. If you want compensation, keep in mind that the ICO route and a compensation claim are not the same thing. A regulator complaint may support your understanding of the issue, but it does not automatically produce damages.

6. Whether there is an overlapping complaint route

Some disputes involve both privacy and something else. For example:

  • a bank shares data wrongly and also mishandles your account complaint;
  • a telecoms provider misuses data and also bills you incorrectly;
  • a landlord mishandles your personal information while also failing to make repairs;
  • an insurer uses incorrect personal data during a claim dispute.

In those cases, track the privacy strand separately from the service or financial complaint. You may need parallel routes, such as the ICO for data concerns and an ombudsman or formal complaint process for the underlying service issue. See also our guides to insurance complaints and travel refund rights if your dispute spans different remedies.

7. Any risk of harm or urgency

If the problem creates ongoing risk, note that separately. Examples might include disclosure of your home address, exposure of financial information, or continuing unwanted contact. Avoid exaggeration, but do explain plainly why the issue matters now rather than in the abstract.

Cadence and checkpoints

A privacy complaint is easier to manage if you review it on a set rhythm instead of reacting only when you are frustrated. For most readers, a monthly review is enough for active complaints, with a quarterly review for longer-running issues or repeat problems.

Weekly checkpoint for the first month

In the first few weeks, check whether:

  • the organisation acknowledged your complaint;
  • you sent the complaint to the right team;
  • you were asked for proof of identity or more detail;
  • the organisation answered the actual issue instead of a different one;
  • you have preserved screenshots before they disappear.

This first checkpoint is mainly about avoiding preventable delays. Many complaints stall because the consumer assumes the organisation understood the problem when it did not.

Monthly checkpoint for active ICO-bound complaints

Once the issue is live, do a monthly review and ask:

  • Has the organisation provided a substantive response?
  • Has it explained what data it holds and why?
  • Has it corrected, deleted, restricted, or stopped processing as requested?
  • Has it offered a partial remedy only?
  • Has the issue stopped, continued, or worsened?
  • Do I now have enough evidence to refer the matter to the ICO?

At this stage, update your chronology and save everything in one place. If you do complain to the regulator, having a clean monthly record makes the process simpler and often more persuasive.

Quarterly checkpoint for repeat or systemic concerns

If the problem affects you repeatedly, a quarterly review is useful even after the immediate complaint. This is especially relevant where:

  • marketing restarts after an opt-out;
  • incorrect data reappears after being corrected;
  • different departments repeat the same privacy error;
  • the organisation changes systems, portals, or terms and the same issue returns.

A quarterly review helps you answer a key question: is this a one-off mistake or a recurring compliance problem? That distinction can shape how you present your complaint.

Before submitting your ICO complaint

Run this short pre-submission checklist:

  • Have I complained to the organisation first?
  • Can I summarise the issue in three short paragraphs?
  • Have I attached the most relevant evidence rather than every document I own?
  • Can I point to what outcome I wanted and what happened instead?
  • Have I removed material that is irrelevant or purely emotional?

A well-focused submission is usually stronger than a long narrative with no clear chronology.

How to interpret changes

When you are dealing with a privacy complaint, not every response means the same thing. The important skill is learning how to read the organisation’s behaviour and decide whether internal escalation is still worthwhile or whether it is time to make an ICO complaint.

If the organisation engages and asks sensible questions

This often suggests your issue is being reviewed properly. Cooperate, but keep boundaries. Provide relevant information, confirm what you are asking for, and note each exchange. Engagement is a good sign, but it is not the same as resolution.

If the organisation gives a generic reply

A vague answer may mean your complaint has not reached the right team or has been treated as a standard customer service issue rather than a GDPR complaint in the UK. In that case, reply with a short clarification. State the specific data issue, refer to your earlier message, and ask for the matter to be reviewed by the data protection or privacy team if appropriate.

If the organisation partly resolves the issue

Partial outcomes are common. For example, it may stop marketing but refuse to explain earlier processing, or correct one error while leaving related inaccuracies untouched. This does not necessarily mean you should escalate immediately, but it does mean your next letter or email should define what remains unresolved.

If the organisation changes its explanation

This is worth tracking carefully. A change in explanation can simply reflect a fuller investigation, but it may also suggest confusion or weak record-keeping. Note the difference neutrally. Do not overstate it. Just compare the first explanation with the later one and explain why the inconsistency matters.

If the problem continues after promises to fix it

Repeat breaches or repeated unwanted contact after an apparent resolution often strengthen the case for external escalation. This is where your tracker becomes useful. A single screenshot may look minor. Three months of repeated incidents after explicit complaints tell a different story.

If you are thinking about compensation

The ICO is primarily a regulator, not a personal compensation scheme. If your concern is both regulatory and financial, keep those aims separate in your notes. You may need independent advice on whether a civil claim is realistic and what time limits might apply. If you are weighing court action more generally, our UK limitation periods guide and small claims court fees guide can help you frame the practical side.

If your issue is really about access to your information

Sometimes a person believes they need to complain to the ICO, when the immediate next step is to tighten up a subject access request or challenge an inadequate response. If the organisation says it cannot identify the data, needs clarification, or is withholding material, compare its position against a structured SAR guide before escalating. That can make your eventual regulator complaint sharper and easier to follow.

When to revisit

This topic is worth revisiting whenever your complaint changes stage, new evidence appears, or the organisation’s behaviour becomes a pattern rather than a one-off mistake. In practical terms, come back to your tracker and update it in the following situations.

  • After every substantive response: update your chronology, note what was answered, and list what remains unresolved.
  • When a deadline passes without a proper reply: decide whether to chase once more, escalate internally, or move to an ICO complaint.
  • When the same privacy issue happens again: add the new incident to the existing record rather than starting from scratch.
  • When your goal changes: for example, from wanting an explanation to wanting the processing to stop.
  • When another complaint route opens up: such as an ombudsman complaint, employment grievance, or civil claim running alongside the privacy issue.
  • On a monthly or quarterly cadence: especially for ongoing marketing, recurring data errors, or platform-based issues that may return after system updates.

If you are ready to escalate, take these action steps:

  1. Write a final short summary of the issue in plain English.
  2. Attach your best evidence, not your entire inbox.
  3. Include the organisation’s responses and dates.
  4. State what outcome you asked for and what happened instead.
  5. Keep a copy of everything you submit.
  6. Diary a follow-up review date so the complaint does not drift.

The main value of an ICO complaint is not speed for its own sake, but clarity. A calm, well-documented complaint is easier for a regulator to understand and easier for you to manage. If you treat the process as something to track rather than a single one-off form, you are much more likely to spot when internal resolution is working, when it is failing, and when it is time to escalate.

For most readers, that is the real answer to how to complain to the ICO in the UK: start with a precise internal complaint, keep a dated record, review the issue on a regular cadence, and escalate only when you can show clearly what went wrong and what you want done about it.

Related Topics

#ICO#GDPR#privacy complaints#data protection
C

Complains.uk Editorial Team

Senior SEO Editor

Senior editor and content strategist. Writing about technology, design, and the future of digital media. Follow along for deep dives into the industry's moving parts.

Up Next

More stories handpicked for you

How to Complain About a Letting Agent in the UK
letting agents11 min read

How to Complain About a Letting Agent in the UK

How to Complain About a Solicitor in the UK: SRA vs Legal Ombudsman
solicitors11 min read

How to Complain About a Solicitor in the UK: SRA vs Legal Ombudsman

Car Dealer Complaints UK: Rejecting a Faulty Used Car and Getting a Refund
cars12 min read

Car Dealer Complaints UK: Rejecting a Faulty Used Car and Getting a Refund

2026-06-17T09:19:18.201Z