Dealing with data protection complaints

What’s changing on 19 June, and why does it matter?

19 June sees a small but significant amendment to data protection law come into force. As of that date, organisations are required to have a procedure in place for dealing with data protection complaints.

In a move to try and address the backlog of complaints with the Information Commissioner’s Office (ICO) there will be a requirement to first raise a complaint with the organisation itself before the ICO will consider the complaint. The ICO will require evidence that the data subject has sought to address their issue directly with the organisation before contacting them. In fact, the complaint procedures on the ICO website already reflect this.

What does this mean for organisations?

Many organisations will already have a complaints procedure in place and so will be able to adapt this to take account of data protection complaints.

This may require a review of the wording in those procedures to ensure it is clear that data protection is covered and to give information about complaining to the ICO if the complaint is not resolved to the complainant’s satisfaction.

Where there is no such complaints procedure in place then one will need to be created. The legislation itself suggests that one option is to create online forms to make it easier to complain.

How long do organisations have to deal with a complaint?

The key requirement from the legislation is that the complaint is acknowledged within 30 days of receipt.

There is no specific timeline for resolving the complaint (recognising that some are more complex than others) but it must be resolved without undue delay.

What documents should organisations update?

Where organisations are adding data protection to existing complaints policies and procedures, employees could be dealt with separately as they will have their own grievance route.

Other documentation that will need to be updated will include privacy policies, which should make it clear that the route to complain is firstly the organisation’s complaints procedure and then secondly the ICO. Similarly, any pro forma documentation for responding to requests from data subjects (including data subject access requests) should be updated to refer to the right to complain.

If you have any questions, please get in touch with a member of our Data Protection and Privacy team.

Contributors: