ICO Complaint Form Guide (2026)

ICO Complaint Form Guide (2026)

When an organisation fails to comply with its data protection obligations — whether by ignoring a Subject Access Request, refusing to erase your data without justification, mishandling your personal information, or committing a data breach — you have the right to complain to the Information Commissioner’s Office (ICO). The ICO is the UK’s independent data protection regulator, and a formal complaint to it can prompt investigation, enforcement action, and, in serious cases, substantial fines against the offending organisation.

This guide explains when to complain to the ICO, how to prepare an effective complaint, what the ICO will and will not do, and how to use the outcome in any parallel legal proceedings.

<

div style=”margin:24px 0;padding:18px;background:#f8f8fc;border-radius:8px;”>

When Do You Need to Complain to the ICO?

An ICO complaint is appropriate when an organisation has breached the UK General Data Protection Regulation (UK GDPR) or the Data Protection Act 2018 (DPA 2018) and has failed to resolve the matter directly with you. Common triggers include:

• A Subject Access Request has been ignored. The 30-day deadline has passed with no response and your follow-up has also been ignored.
• A Subject Access Request has been refused without adequate justification. The organisation has cited an exemption but has not explained it convincingly, or has applied it too broadly.
• A SAR response is clearly incomplete. You have reason to believe the organisation holds more data about you than it has disclosed.
• A data breach has affected you. Your personal data has been lost, stolen, or disclosed without authorisation, and the organisation has either failed to notify you or has handled the breach in a way that leaves you exposed.
• Your right to erasure has been refused. You made a valid erasure request under Article 17 UK GDPR and the organisation declined without a lawful basis, or ignored the request altogether.
• Your data has been processed unlawfully. You believe the organisation is using your personal data without a valid lawful basis under Article 6 UK GDPR, or has used it in a way that exceeds the purpose for which it was collected.
• Your right to object has been ignored. You exercised your right to object to processing under Article 21 UK GDPR and received no response or an inadequate one.
• Direct marketing has continued after you opted out. Repeated direct marketing after you have clearly withdrawn consent is a breach of both UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR).

Before complaining to the ICO, you are expected to have raised the matter directly with the organisation and given them a reasonable opportunity to respond. The ICO will ask whether you have done this. If you have not, they will typically direct you back to the organisation first.

What an ICO Complaint Involves

An ICO complaint is a formal submission to the regulator asking it to investigate an organisation’s conduct and, if a breach is established, to take regulatory action. It is not the same as a civil claim for compensation — the ICO does not award damages to individuals. However, an ICO investigation and any resulting regulatory findings can be highly significant in parallel civil proceedings.

The complaint is made using the ICO’s online complaint form, which is available at ico.org.uk. There is no fee. The process is accessible to individuals without legal representation.

The ICO will assess your complaint and decide whether to investigate. Not every complaint leads to a full investigation — the ICO prioritises cases based on the seriousness of the breach, the risk of harm, and the wider public interest. However, even where the ICO does not pursue a full investigation, it may contact the organisation on your behalf and secure a response or resolution that you could not obtain directly.

Step by Step: How to Submit an ICO Complaint

1. Exhaust the Internal Route First

Before contacting the ICO, write to the organisation formally, referencing the specific breach and asking for a response within a defined period — typically 14 to 21 days. Keep a copy of this letter and any response. If the organisation does not respond, or responds inadequately, you have satisfied the requirement to attempt direct resolution.

2. Gather Your Evidence

Before completing the complaint form, assemble the following:

• A copy of your original SAR, erasure request, or other communication.
• Evidence of sending (email sent folder, postal tracking number, or read receipt).
• Any response received from the organisation, including any refusal or partial response.
• Notes of any telephone conversations with dates, names, and what was said.
• Any relevant correspondence that preceded the data protection issue — for example, emails or letters that demonstrate the context of your dispute with the organisation.
• Details of any harm you have suffered as a result of the breach: financial loss, distress, reputational damage, or practical consequences.

The ICO cannot compel you to provide evidence, but the stronger your submission, the more likely it is to prompt a substantive investigation.

3. Access the ICO Complaint Tool

Navigate to ico.org.uk and use the “Make a complaint” tool. The ICO provides a guided questionnaire that helps you identify the type of complaint and the organisation involved. This ensures your complaint reaches the correct team.

4. Identify the Organisation

You will need to provide the full legal name and contact details of the data controller you are complaining about. Where possible, include their ICO registration number — organisations that process personal data are required to register with the ICO, and the ICO’s public register is searchable on their website. Providing the registration number avoids delays caused by identifying the correct legal entity.

5. Describe the Breach Clearly

The complaint narrative is the most important part of your submission. Explain:

• What the organisation did, or failed to do.
• When it happened and for how long the breach has persisted.
• What rights you exercised and what response, if any, you received.
• What harm you have suffered or are at risk of suffering.
• What outcome you are seeking — for example, that the organisation be required to comply with your SAR, or that it be investigated for its data breach handling.

Write in plain, factual language. Do not exaggerate. The ICO is a professional regulator and responds best to measured, evidence-based submissions. Emotional language will not strengthen your case; factual precision will.

6. Upload Supporting Evidence

The ICO complaint portal allows you to upload documents. Attach your SAR, any correspondence, and any other relevant evidence. Label documents clearly so the ICO caseworker can follow the chronology without difficulty.

7. Submit and Note Your Reference Number

On submission, the ICO will provide a reference number. Keep this. All future correspondence with the ICO should quote it. You will typically receive an acknowledgement within a few days confirming the complaint has been received and is under assessment.

8. Respond to ICO Enquiries Promptly

The ICO may contact you for further information during its assessment. Respond promptly and fully. Delay on your part can delay the investigation and, in some cases, lead the ICO to close the case without a full outcome.

Key Deadlines and Timescales

There is no formal statutory limitation period for ICO complaints. However, the ICO takes account of delay in its assessment. If you wait a year to complain about a breach that you were aware of at the time, the ICO may give less weight to your complaint. It is best practice to complain within three to six months of exhausting the internal route.

Note that civil claims for compensation under Section 169 DPA 2018 are subject to the Limitation Act 1980. The standard limitation period for tort claims is six years from the date the cause of action accrued. Data breach claims may also have arguments based on the three-year personal injury limitation period where the primary harm is distress. If you are considering a civil claim alongside an ICO complaint, take advice on limitation at the earliest opportunity.

What Happens After You Submit Your Complaint?

The ICO will carry out an initial assessment to decide how to handle your complaint. Possible outcomes include:

• Referral back to the organisation. Where the internal resolution process has not been properly exhausted, the ICO may ask you to raise the matter with the organisation first and come back if it is unresolved.
• Informal resolution. The ICO may contact the organisation on your behalf. Many organisations, upon learning that a complaint has been made to the regulator, will comply with outstanding obligations promptly.
• Formal investigation. For more serious or systemic breaches, the ICO may open a formal investigation. The organisation will be required to provide information and explain its position. The ICO may issue a formal reprimand, an enforcement notice, or an assessment notice.
• No further action. Where the ICO concludes that there is insufficient evidence of a breach, or that the breach does not meet the threshold for regulatory action, it will close the complaint. You will receive written reasons and may have limited options to challenge this outcome.
• Monetary penalty. For serious breaches — particularly those involving large volumes of data, sensitive categories of data, or deliberate or negligent conduct — the ICO may impose a financial penalty. These can be substantial for large organisations.

An ICO decision that a breach has occurred is not legally binding in civil proceedings, but it is highly persuasive. Courts will take note of a regulatory finding that an organisation failed to comply with data protection law, and it may significantly strengthen a compensation claim under Section 169 DPA 2018 or a related cause of action.

Common Mistakes to Avoid

1. Complaining to the ICO before raising it with the organisation. The ICO expects you to have attempted direct resolution first. Skipping this step typically results in your complaint being redirected, causing delay.

2. Failing to provide evidence. A complaint based only on a narrative account, with no supporting documents, is much harder for the ICO to investigate. Attach everything you have.

3. Being imprecise about dates and events. The ICO needs to understand the chronology clearly. Vague statements such as “a while ago” or “several times” are unhelpful. Use specific dates wherever possible.

4. Expecting compensation from the ICO. The ICO is a regulator, not a compensation tribunal. If you have suffered damage and want compensation, you must bring a civil claim under Section 169 DPA 2018 — the ICO complaint and the civil claim are parallel routes, not alternatives.

5. Complaining about every minor issue. The ICO prioritises complaints based on harm and public interest. If you dilute a substantive complaint with numerous minor grievances, the most serious matters may receive less attention. Focus on the most important breaches.

6. Not following up. ICO complaints can take considerable time. If you have not heard anything for several months, it is reasonable to contact the ICO quoting your reference number and asking for a status update.

7. Ignoring parallel time limits. The ICO complaint does not pause any limitation period that may apply to a civil claim for compensation. If you are considering civil proceedings, do not assume that waiting for the ICO outcome is safe from a limitation perspective. Take advice on limitation as early as possible.

Legal Framework

The ICO’s powers and the individual’s right to complain are grounded in the following legislation:

• UK General Data Protection Regulation (UK GDPR) — Articles 77 to 79 give individuals the right to lodge a complaint with the supervisory authority, the right to an effective judicial remedy against the supervisory authority if it does not handle the complaint properly, and the right to an effective judicial remedy against a controller or processor.
• Data Protection Act 2018 (DPA 2018) — Part 5 (Sections 115–165) governs the ICO’s enforcement powers, including its ability to issue information notices, assessment notices, enforcement notices, and penalty notices.
• Section 169 DPA 2018 — gives any person who suffers damage as a result of a breach of data protection legislation the right to bring a civil claim for compensation against the controller or processor responsible.
• Privacy and Electronic Communications Regulations 2003 (PECR) — enforced by the ICO alongside UK GDPR. Relevant where the breach involves direct marketing, cookies, or electronic communications.

Related Court Forms & Guides

• Form N260: Statement of Costs — the costs schedule used at summary assessment.
• Form N244: Application Notice — the form for interim applications.
• Start a Money Claim Online (OCMC) — where most civil money claims begin.
• Particulars of Claim — setting out the basis of your claim.
• Civil Court Forms Index — every civil court form guide in one place.

How Chris Can Help

An effective ICO complaint requires a clear, structured, evidence-based narrative. A poorly written complaint is more likely to be assessed as lower priority or referred back to you. Chris can draft your ICO complaint in the correct format, identify the most relevant breaches to include, and prepare the supporting correspondence that strengthens your submission.

If you have already received an ICO outcome and wish to pursue a civil claim for compensation, Chris can assist with that too.

Start My Case — £30 · No subscription. 7-day money-back guarantee. Instant access.

Frequently Asked Questions

Q: Does making an ICO complaint cost anything?
A: No. Submitting a complaint to the ICO is free. There are no filing fees and no requirement to use a legal representative.

Q: Will the ICO always investigate my complaint?
A: No. The ICO triages all complaints and decides whether to investigate based on the seriousness of the alleged breach, the risk of harm, and the public interest. Some complaints are resolved informally by the ICO contacting the organisation on your behalf. Others are not taken forward. However, even where the ICO does not formally investigate, the submission creates a record and may prompt the organisation to comply.

Q: Can I complain to the ICO and also bring a civil claim?
A: Yes. These are separate routes and you can pursue both simultaneously. The ICO complaint does not prevent you from bringing a civil claim under Section 169 DPA 2018, and a civil claim does not prevent you from complaining to the ICO. Be mindful of limitation periods for the civil claim — they run independently of the ICO process.

Q: What if the ICO decides not to investigate my complaint?
A: You will receive a written decision with reasons. In most cases there is no formal right of appeal to the ICO. However, if you believe the ICO has failed to handle your complaint properly, you can complain to the Parliamentary and Health Service Ombudsman (PHSO), which has oversight of certain ICO processes. You can also pursue a judicial remedy in the courts under Article 78 UK GDPR if the ICO has failed to handle your complaint within a reasonable time.

Q: How long does an ICO investigation take?
A: This varies significantly depending on the complexity of the case and the ICO’s workload. Simple complaints may be resolved within a few months. Complex investigations can take considerably longer. The ICO publishes information on its website about current case-handling times. Do not assume the process will be swift — plan accordingly, particularly if limitation periods for civil proceedings are relevant to your case.

Frequently asked questions

When should I complain to the ICO?

An ICO complaint is appropriate when an organisation has breached UK GDPR or the Data Protection Act 2018 and has failed to resolve it with you directly — for example an ignored or unjustifiably refused Subject Access Request, a clearly incomplete SAR response, a data breach affecting you, a refused right to erasure under Article 17, unlawful processing under Article 6, an ignored right to object under Article 21, or direct marketing continuing after you opted out.

Do I have to contact the organisation before complaining to the ICO?

Yes. You are expected to have raised the matter directly with the organisation and given it a reasonable opportunity to respond. The ICO will ask whether you have done this, and if you have not it will typically direct you back to the organisation first. Best practice is to write formally, reference the specific breach and ask for a response within a defined period.

Is there a fee to complain to the ICO?

No. The complaint is made using the ICO’s online complaint tool, available at ico.org.uk, and there is no fee. The process is designed to be accessible to individuals without legal representation.

Will the ICO award me compensation?

No — the ICO does not award damages to individuals. It is a regulator that can investigate and take regulatory action such as a reprimand, enforcement notice or monetary penalty. However, an ICO finding that a breach occurred can be highly persuasive in a parallel civil compensation claim, even though it is not legally binding in court.

Is there a deadline for complaining to the ICO?

There is no formal statutory limitation period for ICO complaints, but delay weakens your case — the ICO takes account of delay in its assessment. It is best practice to complain promptly after exhausting the internal route. Civil compensation claims, by contrast, are subject to the Limitation Act 1980, so take advice on limitation at the earliest opportunity if you are considering a court claim alongside.

What evidence should I gather before I complain?

Assemble a copy of your original SAR, erasure request or other communication; evidence of sending it; any response or refusal received; notes of any phone conversations; relevant prior correspondence showing the context; and details of any harm suffered. The stronger and clearer your evidence, the more likely the ICO is to pursue a substantive investigation.

Related guides: Subject Access Request guide · N1 claim form guide · All civil court forms