How to Complain to the ICO (Step-by-Step Guide)

If an organisation has mishandled your personal data, complain to the organisation first and give it a chance to put things right. If that does not resolve it, you can complain to the Information Commissioner's Office (ICO), the UK's data protection regulator, online or by post.
What Is the ICO?
The Information Commissioner's Office (ICO) is the UK's independent regulator for data protection. It oversees how organisations, both public and private, handle personal data under the UK GDPR and the Data Protection Act 2018, and it deals with complaints from members of the public about how their data has been handled. The Data (Use and Access) Act 2025 (DUAA) establishes a new body corporate intended to eventually replace the ICO, to be known as the Information Commission. That change is still under way in 2026: the regulator continues to operate and present itself as the ICO, so this guide refers to it as the ICO throughout, and you should do the same when you write to it.
Complain to the Organisation First
Before you complain to the ICO, you should normally complain to the organisation itself and give it a genuine opportunity to investigate and put things right. Many data-protection problems, a subject access request that was ignored, personal data shared with the wrong person, marketing you never agreed to, can be resolved directly once the organisation is aware of them, and the ICO expects you to have tried this route first.

Since 19 June 2026, this step has a firmer legal footing. Section 103 of the Data (Use and Access) Act 2025 requires a controller (the organisation handling your data) to have an accessible way for you to make a complaint, for example an online form. Once it receives your complaint, the organisation must:
- Acknowledge receipt within 30 days
- Investigate without undue delay
- Tell you the outcome
If the organisation does not do this, or you are unhappy with its response, you have a clear basis to escalate to the ICO. Keep a copy of your complaint to the organisation and any reply, since the ICO will usually ask what steps you have already taken.
How to Complain to the ICO
- Complain to the organisation first. Set out what happened, what personal data is involved, and what you want it to do, then give it a reasonable amount of time to respond (organisations now have a legal duty to acknowledge within 30 days).
- Gather your evidence. Note down key dates, keep copies of emails or letters, and write a short timeline of what happened and what you were told.
- Check whether the organisation resolved it. If it has properly addressed your concern, you may not need to go further. If it has not, or you disagree with its response, you can complain to the ICO.
- Use the ICO's online complaint form. The ICO's "Make a complaint" service is the quickest route and takes you through the relevant questions for your type of complaint (for example, a subject access request, marketing, or CCTV). You can also complain by post to the ICO's Wilmslow address if you prefer not to use the online form.
- Describe what happened and what you have already done. Explain which organisation is involved, what data protection issue you think occurred, and confirm that you have already raised it with the organisation (and what it said).
- Wait for the ICO's acknowledgement and initial assessment. The ICO will confirm receipt and decide how to handle your complaint, which can range from informal advice to a full investigation, depending on what it reveals.
- Respond if the ICO asks for more information. Complaints move faster when you promptly answer any follow-up questions or provide documents the ICO requests.
What the ICO Can and Cannot Do for You
The ICO is a regulator, not a court, and its powers reflect that. If it finds an organisation has broken data protection law, it can require the organisation to take specific action, issue a formal reprimand, or impose a fine. What it cannot do is order the organisation to pay you compensation, and it does not act as your personal advocate or lawyer in a dispute with the organisation.

If you have suffered damage or distress because of a data protection breach and you want compensation, that is a claim you bring in the courts, under Article 82 UK GDPR and section 168 of the Data Protection Act 2018, not something the ICO can award. See our guide to data breach compensation for how that route works and why there is no automatic payout.
What to Include in Your Complaint
A complaint that is easy for the ICO (or the organisation) to assess includes:
- Which organisation you are complaining about, with any account or reference number
- What happened, in your own words, with approximate dates
- What data protection right or rule you think was breached, for example an ignored subject access request, data shared without a lawful basis, or a refusal to delete your data
- What you have already done, including when you first contacted the organisation and what it said in reply
- Copies of relevant correspondence, such as emails, letters, or screenshots
- What outcome you are looking for, for example a correction, deletion of data, or a change to the organisation's process
You do not need to cite specific legislation or use technical language. Describing what happened clearly and in order is more useful to the ICO than legal terminology.
Realistic Timescales and Expectations
The ICO deals with a very large volume of complaints, and how long yours takes depends on its nature and complexity. A straightforward complaint that the ICO can resolve with informal advice may be dealt with in weeks; a complaint that leads to a wider investigation of an organisation's practices can take considerably longer. The 30-day acknowledgement duty introduced by the DUAA applies to the organisation's own complaints process, not to a fixed deadline for the ICO itself to conclude its assessment.

It also helps to be realistic about outcomes. The ICO's role is to regulate organisations and improve their data protection practices, which can mean an organisation is told to change a process, delete data, or receives a reprimand or fine, rather than you personally receiving money or a guaranteed apology. If a financial remedy is what you are after, court action for compensation, not an ICO complaint, is the relevant route.
This article explains the general process for complaining about a UK data protection issue and is for general information only; it is not legal advice. Whether a particular complaint will succeed depends on the facts. For your own situation, check current guidance on the ICO website or take independent advice. Data protection is a UK-wide, reserved matter, so this process is the same in England, Wales, Scotland and Northern Ireland; see the UK data privacy hub and the United Kingdom country hub for the wider picture. Related guides include the UK GDPR explained, how to make a subject access request, the right to be forgotten, and data breach compensation if you are seeking a financial remedy through the courts.
Frequently Asked Questions
Do I have to complain to the organisation before I complain to the ICO?
You should normally complain to the organisation first and give it a genuine chance to put things right. The ICO expects this and will usually ask what you have already done before it looks at your complaint.
How do I complain to the ICO?
You can complain online using the ICO's Make a Complaint service, which asks questions relevant to your type of issue, or by post if you prefer. Complaining to the ICO is free.
Is there a time limit for an organisation to respond to my complaint?
Since 19 June 2026, the Data (Use and Access) Act 2025 requires an organisation to acknowledge a data protection complaint within 30 days, investigate it without undue delay, and tell you the outcome.
Will the ICO get me compensation for a data breach?
No. The ICO can investigate, order action, and issue reprimands or fines, but it cannot award you compensation. A compensation claim has to go through the courts under Article 82 UK GDPR and section 168 of the Data Protection Act 2018.
Is the ICO becoming the Information Commission?
The Data (Use and Access) Act 2025 creates a new body corporate intended to eventually replace the ICO, called the Information Commission, but the transition is still under way in 2026 and the regulator still operates and is known as the ICO.
How long does the ICO take to deal with a complaint?
It varies with the complexity of the issue. Straightforward complaints resolved with informal advice can take weeks, while complaints that trigger a wider investigation can take considerably longer.
Does complaining to the ICO cost anything?
No. Making a complaint to the ICO, whether online or by post, is free.
Updates
Section 103 of the Data (Use and Access) Act 2025 came into force, requiring organisations to have an accessible complaints process and to acknowledge a data protection complaint within 30 days, investigate it without undue delay, and give the complainant an outcome.
Sources and References
- ICO: How to make a data protection complaint to an organisation(ico.org.uk).gov
- ICO: I'm worried about how an organisation has handled my information, what should I do?(ico.org.uk).gov
- ICO: Make a complaint(ico.org.uk).gov
- Data (Use and Access) Act 2025, section 103(legislation.gov.uk).gov
- GOV.UK: Data protection - make a complaint(gov.uk).gov