How long does an ICO complaint take?

The ICO aims to resolve most complaints within three months. Simple cases may be resolved faster, while complex investigations can take longer. The ICO will keep you updated on progress.

Is there a fee to complain to the ICO?

No. Complaining to the ICO is completely free. You don't need a solicitor to make a complaint.

Can I complain to the ICO anonymously?

You can report concerns anonymously, but the ICO may not be able to investigate fully or keep you updated without your contact details. For personal complaints about your own data, you'll need to identify yourself.

What can the ICO do if my complaint is upheld?

The ICO can require the organisation to comply with data protection law, issue reprimands, order them to take specific actions, and in serious cases issue fines of up to £17.5 million or 4% of global turnover. However, the ICO cannot award you compensation — only the courts can do that.

How to Make an ICO Complaint (Step-by-Step)

Published: December 2025 · 10 minute read

If an organisation has mishandled your personal data, ignored your Subject Access Request, or breached data protection law, you can complain to the Information Commissioner's Office (ICO). The ICO is the UK's independent regulator for data protection and has real powers to investigate and take action.

This guide walks you through the complaint process step by step — what you need before you start, how to submit your complaint, and what happens afterwards.

What the ICO Can Do

The ICO can investigate complaints, require organisations to comply with the law, issue reprimands, order specific actions, and impose fines of up to £17.5 million. However, the ICO cannot award you compensation — only the courts can do that.

Before You Complain: Try to Resolve It First

The ICO expects you to contact the organisation directly before making a complaint. This isn't just bureaucracy — many issues get resolved at this stage, and it strengthens your complaint if they don't.

You should:

Write to the organisation explaining your concern
Give them a reasonable time to respond (usually 2-4 weeks)
Keep copies of all correspondence
If they have a formal complaints process, use it

If they don't respond, respond inadequately, or you're not satisfied with their response, you can then escalate to the ICO.

Time Limit

You should complain to the ICO within three months of your last meaningful contact with the organisation about the issue. After this, the ICO may decline to investigate.

Step-by-Step: Making Your ICO Complaint

1 Gather Your Evidence

Before you start the complaint form, collect:

Copy of your original request or communication
Proof of when you sent it (email timestamp, postal receipt)
Any responses you received from the organisation
Your follow-up correspondence
Notes of any phone calls (date, time, who you spoke to, what was said)

2 Go to the ICO Website

Visit ico.org.uk/make-a-complaint. You'll be asked what type of concern you have. Common options include:

"I asked for my personal information and didn't get it" (for SAR complaints)
"My personal information has been misused"
"I've received nuisance calls, texts or emails"
"I'm concerned about how an organisation handles personal information"

3 Complete the Online Form

The form will ask for:

Your details — name, address, contact information
Organisation details — who you're complaining about
What happened — a clear description of the issue
When it happened — key dates
What you want — what outcome you're seeking
What you've done so far — your attempts to resolve it

4 Upload Supporting Documents

You can attach documents to your complaint. Include:

Your original request/complaint to the organisation
Their response (if any)
Your follow-up communications
Any other relevant evidence

Keep file sizes reasonable and use common formats (PDF, Word, images).

5 Submit and Note Your Reference Number

After submitting, you'll receive a confirmation with a reference number. Keep this safe — you'll need it for any follow-up communication with the ICO.

What Happens After You Complain

Acknowledgement

The ICO will acknowledge your complaint, usually within a few days. They'll confirm your reference number and may ask for additional information if needed.

Assessment

The ICO will assess whether your complaint falls within their remit and whether there's enough evidence to investigate. Not every complaint leads to a full investigation — the ICO prioritises cases based on factors like seriousness, number of people affected, and whether there's a pattern of behaviour.

Investigation

If the ICO decides to investigate, they may:

Contact the organisation for their response
Request documents and evidence
Ask you for additional information
In serious cases, conduct inspections

Outcome

The ICO will tell you the outcome of their investigation. Possible outcomes include:

No breach found — the organisation acted lawfully
Informal resolution — the ICO helps resolve the issue without formal action
Recommendations — the ICO advises the organisation to change their practices
Enforcement action — formal warnings, enforcement notices, or fines

Timescales

The ICO aims to resolve most complaints within three months, but complex cases can take longer. The ICO will keep you updated on progress. If you haven't heard anything for a while, you can contact them with your reference number.

Tips for a Strong Complaint

Be specific — include dates, names, and exactly what happened
Stay factual — avoid emotional language; stick to the facts
Show your efforts — demonstrate you tried to resolve it first
Be clear about what you want — state the outcome you're seeking
Include evidence — documents strengthen your complaint
Keep it focused — one clear complaint is better than multiple vague ones

ICO Complaint Checklist

Contacted organisation directly first
Gave them reasonable time to respond
Kept copies of all correspondence
Within three months of last contact
Have proof of dates and communications
Know what outcome you want
Documents ready to upload

What If the ICO Doesn't Investigate?

The ICO doesn't investigate every complaint. If they decide not to investigate yours, they'll explain why. Common reasons include:

You haven't tried to resolve it with the organisation first
The complaint is outside the three-month time limit
It's not a data protection matter (wrong regulator)
There's insufficient evidence
The matter is too minor to warrant investigation

If you disagree with their decision, you can ask them to review it. If you're still not satisfied, you may be able to challenge their decision through judicial review, though this is rare and expensive.

Alternatives to an ICO Complaint

An ICO complaint isn't your only option:

Court action — You can apply for a court order requiring the organisation to comply (s.167 DPA 2018) and/or claim compensation (Article 82 UK GDPR)
Sector-specific regulators — For financial services, try the Financial Ombudsman; for NHS, try the Parliamentary and Health Service Ombudsman
Professional bodies — Solicitors, doctors, and other professionals have their own regulators

Need Help With Your ICO Complaint?

Clear Draft can help you prepare a clear, well-evidenced complaint to the ICO, or draft the follow-up letters you need before complaining.

Request a Quote