How to Complain to the ICO About a Data Breach
If an organisation has mishandled your personal information, you can complain to the Information Commissioner's Office (ICO) under Article 77 of the UK GDPR and section 165 of the Data Protection Act 2018. The ICO can investigate and penalise the organisation, but it cannot award you compensation.
This page is part of our guide to United Kingdom data privacy laws. It covers only the ICO complaints route and the separate court route for compensation, not the wider UK GDPR framework.
When can you complain to the ICO?
You can complain to the ICO if you believe an organisation has used your personal information in a way that breaks data protection law. The right comes from Article 77 of the UK GDPR (the right to lodge a complaint with a supervisory authority) and section 165 of the Data Protection Act 2018, which names the Commissioner as the UK supervisory authority and requires it to handle complaints from data subjects. Common grounds include an organisation ignoring a subject access request, refusing to delete data you are entitled to have erased, sending marketing after you objected, losing or exposing your data, or processing it without a lawful basis.
The complaint must concern your own personal data or data you are authorised to act on. You do not need to show financial loss to complain, and there is no fee. There is also no strict deadline to complain, although the ICO may decline to investigate very old matters or issues already resolved.
Raise it with the organisation first
The ICO expects you to give the organisation a chance to put things right before you escalate. Its public guidance is to contact the organisation directly, explain the problem clearly, and allow it time to respond before bringing the matter to the regulator. When you do complain to the ICO, you are normally asked to provide a copy of the organisation's reply, or evidence that it failed to respond.
This step became a legal duty for organisations under the Data (Use and Access) Act 2025. From 19 June 2026, every controller must operate a complaints process, must acknowledge a complaint within 30 days of receiving it, and must then investigate and respond without undue delay, which the ICO interprets as without unjustifiable or excessive delay. Controllers must also provide an easy electronic way to complain and must tell you the outcome.
Watch out: "Acknowledge within 30 days" is not the same as "resolve within 30 days." The 30-day rule is only an obligation to confirm receipt. There is no fixed statutory deadline for the substantive response, so keep a written record of every contact and date.
How to submit a complaint to the ICO
The ICO must make complaining straightforward. Section 165(3) of the DPA 2018 requires it to provide a complaint form that can be completed electronically and by other means. In practice you complain through the data protection complaint pages on ico.org.uk, by post, or by phone via the ICO helpline.
To make the complaint effective, include who the organisation is, what happened and when, which of your rights or which data protection rules you think were breached, what you have already done to resolve it with the organisation, a copy of the organisation's response, and what you would like to see happen. You can complain yourself or ask someone to act on your behalf with your authority.
| Step | What you do | Why it matters |
|---|---|---|
| 1. Contact the organisation | Set out the problem in writing and keep dated copies | The ICO expects you to try this first |
| 2. Wait for the response | Allow the organisation a reasonable time to reply | You usually need its reply, or evidence of silence |
| 3. Submit to the ICO | Use the online form, post, or helpline | Section 165 requires the ICO to provide an electronic form |
| 4. Provide evidence | Attach correspondence and a clear timeline | Helps the ICO assess the complaint quickly |
What the ICO does and its timescales
Once the ICO receives your complaint it assesses whether data protection law applies and what action is appropriate. Some complaints are recorded for intelligence and lead to advice rather than a full investigation; others prompt detailed enquiries with the organisation or a formal investigation. Under section 165(4) of the DPA 2018, the Commissioner must take appropriate steps to respond, must inform you of the outcome, and must tell you about your rights under section 166.
On timing, the ICO publishes a service standard that it aims to reach an outcome in 90% of complaint cases within six months. Complex matters and formal investigations can take considerably longer. Throughout, you should receive updates and responses to your correspondence in line with the ICO's service standards. The regulator's focus is on whether the organisation has complied with the law and what it should do to fix systemic problems, not on resolving a private dispute in your favour.
Watch out: A common outcome is the ICO finding an infringement and asking the organisation to improve, without any payment to you. That is the design of the system, not a failure of your complaint.
The ICO's enforcement powers
Where the ICO finds a breach, it has a graduated set of powers under Part 6 of the DPA 2018. It can issue an information notice (requiring the organisation to provide information) or an assessment notice (allowing it to audit), then escalate to formal sanctions if needed.
| Power | What it does |
|---|---|
| Reprimand | A written finding that an organisation has not complied, often with recommended actions; used where the breach does not warrant a fine |
| Enforcement notice | A legally binding order requiring the organisation to take, or stop, specified action |
| Penalty (fine) | A monetary penalty up to GBP 17.5 million or 4% of total annual worldwide turnover for the most serious infringements (higher tier), or GBP 8.7 million or 2% (standard tier) |
Fines are paid to the public purse, not to the individual who complained. The ICO has used these powers in high-profile cases, but most individual complaints end in advice or a reprimand rather than a fine.
The ICO does not award you compensation
This is the single most important point for anyone seeking money back. The ICO regulates organisations; it does not pay compensation to complainants and cannot order an organisation to pay you. If you have suffered loss or distress because of a data protection breach, your claim for compensation is a separate matter that goes to court.
The right to compensation sits in Article 82 of the UK GDPR, which gives a right to compensation for material damage (such as financial loss) and non-material damage. Section 168 of the DPA 2018 confirms that non-material damage under Article 82 includes distress, and section 167 lets a court order a controller to comply with your rights. You do not always have to litigate: an organisation may agree to pay compensation voluntarily. If it refuses, the next step is a claim in the civil courts. Courts have generally required claimants to show actual damage or distress flowing from the breach.
Watch out: An ICO finding that an organisation broke the law can be useful evidence, but it is not a compensation award and does not, by itself, secure a payment. The court route is legally distinct from the complaint route.
What to expect from an investigation
If the ICO opens enquiries, expect a correspondence-led process rather than a court-style hearing. The ICO will contact the organisation, gather information, and assess compliance, keeping you informed of progress in line with its service standards. The outcome may be advice to the organisation, a reprimand, an enforcement notice, a fine, or a decision that no further action is needed.
If the ICO does not respond appropriately or fails to update you on progress or the outcome within three months of receiving your complaint, section 166 of the DPA 2018 lets you apply to the First-tier Tribunal for an order requiring the Commissioner to take appropriate steps within a set time. The Tribunal has stressed that section 166 is about procedural delay, not about second-guessing the merits of the ICO's decision. If you disagree with the substance of the outcome, the realistic routes are to ask the ICO for a case review or to pursue your own court claim.
Frequently Asked Questions
Do I have to complain to the organisation before going to the ICO?
The ICO expects you to raise the issue with the organisation first and give it a chance to respond. When you complain to the ICO you are usually asked to provide the organisation's reply or evidence that it failed to respond. From 19 June 2026, the Data (Use and Access) Act 2025 also requires controllers to operate a complaints process, acknowledge your complaint within 30 days, and investigate without undue delay.
How long does the ICO take to deal with a complaint?
The ICO publishes a service standard that it aims to reach an outcome in 90% of complaint cases within six months. Straightforward complaints may be resolved with advice in less time, while complex matters and formal investigations can take considerably longer. You should receive progress updates in line with the ICO's service standards throughout.
Can the ICO get me compensation for a data breach?
No. The ICO regulates organisations and cannot award or order compensation to you. Compensation is a separate matter that you claim under Article 82 of the UK GDPR and section 168 of the Data Protection Act 2018, which confirms that non-material damage includes distress. An organisation may agree to pay voluntarily; if it refuses, you would make a claim in court.
What can the ICO actually do to an organisation?
Under Part 6 of the Data Protection Act 2018 the ICO can issue information and assessment notices, reprimands, and legally binding enforcement notices, and impose fines of up to GBP 17.5 million or 4% of global annual turnover for the most serious breaches. Fines are paid to the public purse, not to the complainant, and many individual complaints end in advice or a reprimand.
What is a reprimand?
A reprimand is a written finding by the ICO that an organisation has not complied with data protection law, usually setting out the reasons and recommended actions. It is generally used where an infringement is not serious enough to justify a fine or enforcement notice. It is a corrective and reputational measure, not a payment to the person who complained.
What if the ICO does not respond to my complaint?
If the Commissioner fails to take appropriate steps, or fails to tell you about progress or the outcome within three months of receiving your complaint, section 166 of the Data Protection Act 2018 lets you apply to the First-tier Tribunal for an order requiring the ICO to act within a specified period. The Tribunal has held that section 166 addresses procedural delay only, not the merits of the decision.
Is there a fee or a deadline to complain to the ICO?
There is no fee to complain to the ICO and no strict statutory deadline. However, the ICO may decline to investigate very old matters or complaints that have already been resolved, so it is sensible to complain promptly once the organisation has had a chance to respond and to keep dated records of all your contact.
Can I claim compensation and complain to the ICO at the same time?
Yes. The two routes are distinct. A complaint to the ICO under Article 77 of the UK GDPR seeks regulatory action against the organisation, while a compensation claim under Article 82 and section 168 of the DPA 2018 is brought in court. An ICO finding of a breach can be useful evidence in a court claim, but it is not itself a compensation award.
Sources and References
- Data Protection Act 2018, section 165 (complaints by data subjects)(legislation.gov.uk).gov
- Data Protection Act 2018, section 166 (orders to progress complaints)(legislation.gov.uk).gov
- Data Protection Act 2018, section 168 (compensation; non-material damage includes distress)(legislation.gov.uk).gov
- UK GDPR, Article 77 (right to lodge a complaint with a supervisory authority)(legislation.gov.uk).gov
- UK GDPR, Article 82 (right to compensation for material or non-material damage)(legislation.gov.uk).gov
- ICO: Make a complaint about how an organisation has used your personal information(ico.org.uk).gov
- ICO: How to make a data protection complaint to an organisation(ico.org.uk).gov
- ICO: Our service standards (90% of complaint cases within six months)(ico.org.uk).gov