This month the ICO published its key statistics for 2024, reporting 36,049 completed data protection complaints and 179 completed investigations. In total they issued fines totalling £1,270,000. The level of complaints is higher than those reported in its annual report for 2022/23 (around 35,000). This insight considers the role of the ICO, the potential implications of a data protection complaint and what you can do to help avoid one.
What is the ICO and what does it do?
The ICO is the UK’s largest independent body set up to uphold information rights. It has various enforcement powers discussed below.
What is a ‘data protection complaint’?
A complaint to the ICO can relate to any issue around personal data or required access to data.
The law ensures a series of safeguards to protect individuals’ fundamental rights and freedoms. Essentially, GDPR has placed more power at the individuals’ end and extra responsibilities at the organisation end. Individuals have various rights under data protection law, including the right to access data held about them by an organisation and this is more commonly known as a ‘subject access request’.
Subject access requests and the way that organisations respond to them can be a source of contention and many data protection complaints arise as a result. Common complaints revolve around:
· Subject access requests left unanswered.
· Subject access requests not being answered within the statutory deadline.
· Individuals dissatisfied with the information (or lack of information) being provided and querying any exemptions applied.
Other examples of data protection complaints include data breaches, nuisance calls and unsolicited marketing correspondence.
Individuals have the right to complain to the ICO but they are advised to try and complain to the organisation before reporting.
Where a complaint is made to the ICO about your organisation, the ICO will generally then write to you giving you the opportunity to respond.
What’s the deadline for responding to the ICO?
It’s usually 21 days. If seeking legal advice you should action as soon as possible.
What happens if we don’t respond within the deadline?
The result could be detrimental to your organisation because:
1. The ICO will either base their decision on the information available (i.e. the complainant’s complaint); or
2. Consider issuing an Information Notice.
An Information Notice requires you to provide information to the ICO within a strict timescale to assess the security of your network and information systems and the implementation of your security policies, including any inspections conducted.
What are the risks of not adequately dealing with an ICO complaint?
If the ICO is dissatisfied with the information you provide they have wider enforcement powers including:
· Issuing an enforcement notice.
· Issuing a penalty notice.
· Exercising their inspection powers.
Wider implications include reputational damage as the ICO decisions are posted online. This may affect your customers, your ability to secure investment and litigation.
How can Tozers help you respond to an ICO complaint?
We understand the information required by the ICO, the language and format required ICO and have a proven track record of defending our clients with data protection complaints.
Success at an early stage of the ICO complaints process will help you save the time, cost and stress of dealing with a protected data protection complaint.
What are Tozers’ top tips to avoid data protection complaints?
1. Review your policies, procedures and written records and identify any gaps, ideally as soon as possible.
2. Train staff on the importance and significance of data protection rights. Seek legal advice if you require help demystifying the legal landscape.
3. Ensure there is a common understanding about data protection exemptions and under which circumstances you may be able to extend the deadline for a subject access request response.
4. Ensure you keep comprehensive records where you make a decision affecting data protection rights, for example why you are relying upon an exemption.
5. Ensure you have a separate complaints policy for data protection complaints from your general complaints policy.
6. Similarly, you should ensure that data protection complaints are not dealt with under your general complaints policy and under a separate policy if you are regulated by the Housing Ombudsman. The Housing Ombudsman has no jurisdiction with data protection matters.
7. Work effectively as an organisation and test your IT systems regularly. Contrary to common belief, if your systems are attacked by a malicious actor or you experience a glitch with your IT systems, these will not be sufficient to excuse your non-compliance with an individual’s legal rights under data protection law.
8. If you receive a complaint from the ICO and they refer to evidence provided by the complainant, request a copy from the ICO at an early stage.
9. Review the lessons learned from previous complaints and formulate an action plan. Create deadlines for implementing changes/reviewing your systems and diarise these to stay on track.
10. If you are in any doubt about your data protection compliance, seek expert legal advice.
How can Tozers help?
If you have received a data protection complaint, we can support you through the process as we understand how the ICO work, the information they require and can help articulate your position in the strongest way. We will consider mitigating factors with you and provide both legal and practical advice to assist you with data protection compliance moving forwards.
Tozers expert lawyers can assist you with a broad spectrum of data protection issues. Contact us to speak with one of our expert lawyers today.
