Once you have completed your data protection complaint investigation, you must provide the complainant with an outcome without undue delay. This is also a good time to consider if any improvements are needed to prevent similar complaints in future.
Provide an outcome to the complainant
You must tell the complainant the outcome of your investigation without undue (unjustifiable or excessive) delay.
In some cases, you may provide the outcome and the acknowledgement of the complaint together if both can be completed within the required 30-day timeframe.
Your response should explain
- the conclusions you reached
- the reasons for your decision
- any action you have taken, or plan to take, as a result of the complaint
- where relevant, why you believe you have complied with data protection law
You should provide enough information to help the complainant understand how you reached your decision. Where a complaint covers multiple issues, it may be helpful to address each issue separately.
If the complainant is unhappy with the outcome
If the complainant is unhappy after you close the investigation, you may offer more detail or clarify your decision, or consider having a review process, if appropriate.
It’s also good practice to remind them of their right to complain to the Information Commissioner’s Office (ICO). People can complain to the ICO at any point; they do not need to wait for your outcome.
Find out how the ICO deals with data protection complaints.
Review lessons learned
After closing the complaint, you should review what happened and record any recurring issues or trends, actions taken to address problems, and opportunities to improve compliance and service delivery.
