When you receive a data protection complaint, you must
- acknowledge the complaint within 30 days
- investigate the complaint without undue delay
- keep the complainant informed of progress
- provide an outcome without undue delay
- keep appropriate records of your actions
Having a clear and structured approach can help resolve concerns more quickly and reduce escalation to the Information Commissioner’s Office (ICO).
Time limits for acknowledging the complaint
You must acknowledge receipt of a data protection complaint within 30 days. The time limits state that
- This 30-day period begins on the day after you receive the complaint.
- If the deadline falls on a weekend or public holiday, you have until the next working day to acknowledge the complaint.
Keep a record of when and how you acknowledged the complaint to show you met the 30-day rule. During staff absences, put in place arrangements to ensure complaints are acknowledged within the appropriate time limits.
How to acknowledge the complaint
In your acknowledgement, you should confirm that you have received the complaint and will investigate it. You can normally respond using the complainant’s preferred contact method where possible, unless they ask you to respond in a different way.
How to investigate the complaint
Your obligation to investigate begins when you receive the complaint, not after the 30-day acknowledgement period. You must investigate complaints without undue delay.
The investigation should be proportionate to the circumstances and may include
- reviewing relevant records and evidence
- speaking to relevant staff members
- comparing the complaint with the information you hold
- checking compliance with your policies, procedures and legal obligations
If the complaint is unclear, seek clarification as soon as possible. You can also ask what outcome they want (for example – an apology, correction or process change) to help you narrow the scope of investigation and resolve the complaint more quickly.
What does ‘without undue delay’ mean?
Without undue delay means without an unjustifiable or excessive delay. The time needed to investigate a complaint will depend on many factors, including
- the complexity of the issues
- the scale of the issue
- any harm the complainant may be experiencing as a result of the issue
If you decide to use any internal timescales, these must not delay your investigation. You must complete the investigation as soon as the circumstances allow. You must also be able to explain the approach you have taken.
Keep the complainant informed
You must keep the complainant updated on progress without undue delay. If your investigation is likely to take time, you should
- explain the expected timescales
- provide updates on progress
- explain any delays
- give a point of contact for questions
Maintaining clear communication with the complainant can help build trust and support early resolution. At the end of your investigation, you must provide an outcome to the complainant.
Keep records of your data protection complaint actions
You should keep accurate and up-to-date records of
- when the complaint was received
- when it was acknowledged
- relevant conversations and evidence
- the outcome of the complaint
- any actions taken as a result
Good record keeping provides evidence of compliance and can help you identify recurring issues or opportunities for improvement. Do not keep personal information for longer than you need it.
