Complaining to the Information Commissioner about a Data Breach

ComplaintsUK-wideReviewed by Civil Help editorial team: 13 May 2026Next review: 13 May 20279 min

Verified against 4 sources

The Information Commissioner's Office (ICO) regulates data protection in the UK. They handle complaints about misuse of personal data, failure to respond to Subject Access Requests, marketing breaches under PECR, and breaches of UK GDPR. Many complaints are resolved with a written reminder to the organisation; serious breaches lead to fines up to £17.5 million. This guide explains how to use the ICO and how to claim separately for compensation.

Key points

The ICO enforces UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and Freedom of Information.
Complaints to the ICO are free. Submit at ico.org.uk/make-a-complaint.
The ICO can: investigate and warn, issue enforcement notices, impose monetary penalties (up to £17.5 million or 4% of global turnover under UK GDPR), and prosecute serious offences.
Most complaints are resolved with a written warning to the organisation. Fines are rare — usually for serious or repeated breaches.
The ICO cannot award compensation to you directly. For compensation, you can claim in the County Court under Article 82 UK GDPR.
Compensation for distress alone (no financial loss) is available since Lloyd v Google [2021] — but on a case-by-case basis, not class-action style.
Time limit: ICO complaint within 3 months of the issue (extended for good reason); civil claim within 6 years.

What the ICO can and cannot do

The ICO is the UK's independent regulator for data protection. Its main powers:

Investigate complaints about how organisations handle personal data.
Issue Information Notices requiring organisations to provide evidence.
Issue Enforcement Notices requiring organisations to change practices.
Issue Monetary Penalty Notices — fines up to £17.5 million or 4% of global turnover under UK GDPR (Art 83); £500,000 maximum under PECR.
Prosecute some criminal offences — unauthorised obtaining or disclosure of personal data (section 170 DPA 2018), forced SARs (section 184), and obstruction.
Audit public sector organisations and major data controllers.

What the ICO CANNOT do:

Order the organisation to pay you compensation. You must claim that separately in court.
Reverse the organisation's decision (e.g. compel them to give you a job after a SAR reveals discrimination — that is a different jurisdiction).
Investigate complaints that are about data that is not personal data (mostly trade or legal disputes).
Force organisations to keep specific data — they regulate processing, not retention strategy.

Common types of complaint

Most ICO complaints fall into one of these categories:

Failed Subject Access Request — you asked for your personal data and the organisation did not respond, responded late (more than 1 month), or refused unreasonably.
Data breach affecting you — your data was lost, stolen, or disclosed to someone who should not have had it.
Inaccurate data — incorrect information held about you, and the organisation refuses to correct it.
Unauthorised marketing — texts, calls, or emails after you opted out, or that you never consented to (PECR territory).
Excessive data collection — an organisation collecting more than necessary.
Refusal of erasure request — you asked for your data to be deleted ("right to be forgotten") and were refused.
FOI delays or refusals — public body did not provide information you requested under the Freedom of Information Act 2000.

Before complaining — try the organisation first

The ICO expects you to complain to the organisation first. This is sensible for two reasons:

Most issues are resolved more quickly directly. Organisations are usually motivated to fix issues that could become ICO complaints.
The ICO will often refuse to investigate cases where the organisation has not had a chance to respond.

How to complain to the organisation:

Find the Data Protection Officer (DPO) — usually listed on the organisation's privacy notice.
Submit a written complaint setting out the specific data protection issue and what you want done.
Allow at least 1 month for a substantive response.
If unsatisfied, request escalation through any internal review process.
Get a "final response" or "deadlock" letter — this is the trigger for ICO escalation.

How to complain to the ICO

Submit at ico.org.uk/make-a-complaint. Include:

The organisation's name and address.
Your data protection issue, in concrete terms.
What you asked the organisation to do.
Their response (if any).
Copies of supporting evidence — emails, letters, screenshots, the original SAR.
What you want the ICO to do (investigate, warn the organisation, change practices).

Process:

Acknowledgement within days.
Case officer assigned within 1-3 months.
Investigation — the case officer writes to the organisation, requests evidence, drafts an opinion.
Outcome — usually a letter explaining what the ICO found and what they have asked the organisation to do.
If serious, the case may be escalated to enforcement action (fines, regulatory orders).

Most complaints are resolved within 6 months. Complex investigations (especially involving large data sets or sectors) can take 12-18 months.

Claiming compensation in court (separately)

The ICO does not award you compensation. To get compensation:

Claim in the County Court under Article 82 UK GDPR — material damage (financial loss) and non-material damage (distress, anxiety).
Time limit: 6 years from the breach (Limitation Act 1980 s.5).
The ICO's decision (if it upheld your complaint) is strong supporting evidence for the court claim, though not binding.
Awards: small money claims for distress typically £100-£2,000; serious cases (identity theft, ongoing harassment from leaked data) £5,000-£25,000+; severe cases (e.g. NHS data leaks causing harm) can exceed £100,000.

The Supreme Court in Lloyd v Google [2021] UKSC 50 confirmed that compensation for distress alone is available, but on an individual basis — there is no representative or class action route under DPA 2018. Each affected person must claim individually unless joined under a Group Litigation Order.

Frequently asked questions

How long does the ICO take to investigate?

Most complaints are resolved within 6 months. Complex cases involving large data sets, multiple parties, or significant public interest can take 12-18 months.

Will my name be public?

Generally no — the ICO redacts complainant details from published decisions. The organisation is named.

Can I get compensation through the ICO?

No. The ICO does not award compensation. For that, claim in the County Court under Article 82 UK GDPR within 6 years of the breach.

What if my data was leaked years ago and I just found out?

The time limit usually runs from discovery for fraud or concealment. For ICO complaints, raise it as soon as you become aware. For court claims, the 6-year limitation may be extended where the breach was concealed.

Can I take legal action AND complain to the ICO?

Yes — both routes can run in parallel. The ICO is the regulator (administrative remedy); the court provides civil compensation. Most lawyers will tell you to do both.

What to do next

Official bodies and resources

Citizens Advice

Charity

Provides free, confidential, and independent advice on a wide range of issues including benefits, housing, debt, and employment.

Visit website 0800 144 8848

Was this page helpful?

Related guides

Data Breach Complaints

A data breach occurs when your personal information is accessed, disclosed, lost, or stolen in a way that was not authorised. Whether the breach involved your financial details, health records, or contact information, you have rights under UK GDPR and the Data Protection Act 2018 — including the right to complain to the Information Commissioner's Office (ICO) and to claim compensation.

5 min