The United Kingdom's General Data Protection Regulation (UK GDPR) is the UK's main privacy law. Organizations that are required to comply with the UK GDPR must take certain steps to deal with any data protection complaints they receive.
This article will explain what the UK GDPR is, who it applies to, what a data protection complaint is, and who is responsible for dealing with data protection complaints. It will take you through the step-by-step process you need to follow in order to properly handle any data protection complaints made to your organization.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. What is the UK GDPR and Who Does it Apply to?
- 1.1. Data Processors and Controllers
- 1.2. What is Personal Data?
- 2. What is a Data Protection Complaint?
- 3. Who is Responsible for Dealing With UK Data Protection Complaints?
- 4. How to Inform Consumers About Their Right to File a Data Protection Complaint
- 5. What to Do When You Receive a Data Protection Complaint
- 5.1. 1. Acknowledge the Complaint
- 5.2. 2. Research the Complaint
- 5.3. 3. Keep in Contact
- 5.4. 4. Record Everything
- 5.5. 5. Respond to the Complaint
- 5.6. 6. Review What Happened
- 6. Best Practices for Avoiding Data Protection Complaints
- 6.1. Lawfulness, Fairness, and Transparency
- 6.2. Purpose Limitation
- 6.3. Data Minimization
- 6.4. Accuracy
- 6.5. Storage Limitation
- 6.6. Integrity and Confidentiality
- 6.7. Accountability
- 7. Summary
What is the UK GDPR and Who Does it Apply to?
The UK GDPR is a combination of the European Union's (EU) GDPR and the UK's Data Protection Act of 2018. The UK GDPR requires organizations that meet its criteria to have specific measures in place to protect UK residents' personal data.
The UK GDPR functions to protect UK residents' privacy and personal data rights, and to inform organizations about the kinds of data protection systems they should have in place in order to comply with the law.
The UK GDPR applies to organizations that are based in the UK or that supply goods or services to residents of the UK. It does not apply to personal data that is processed for certain law enforcement or national security purposes, or to personal data that is processed by individuals for non-commercial purposes.
Data Processors and Controllers
Data processors are those who process personal data for data controllers. Data processors are responsible for keeping records of how personal information is used, and are legally responsible for any violations or security breaches.
Data controllers are those who make decisions about how to handle personal data, and are responsible for complying with the UK GDPR.
Article 5 of the UK GDPR explains that data controllers are responsible for upholding the law's seven basic principles:
What is Personal Data?
Personal data is defined by the UK GDPR as any information that can be used on its own or in combination with other data to identify an individual. Personal data can include names, ID numbers, IP addresses, and cookie identifiers, among other identifying information.
What is a Data Protection Complaint?
A data protection complaint is a complaint an individual can make to an organization if they have had issues accessing their personal data from the organization, or if they don't think their personal data or others' personal data is being handled properly by the organization.
The UK Information Commissioner's Office (IPO) is the supervisory body that protects UK residents' information rights. It requests that individuals file complaints with the offending organization first, before complaining to the IPO.
If consumers haven't heard back from the organization within 30 days, or if they are unhappy with the results they receive from the organization, then they can file a complaint with the IPO.
You should take data protection complaints seriously, and respond to them as soon as possible.
Who is Responsible for Dealing With UK Data Protection Complaints?
Certain organizations are legally required to have a Data Protection Officer (DPO) in their employ. A DPO is a data protection expert who understands the ins and outs of the UK GDPR, and can help you to comply with its requirements. A DPO can function as an intermediary between any individuals filing data protection complaints and the IPO.
You should have a DPO if your organization is a public authority or body, or if you process personal data, special categories of data, or data concerning criminal offenses on a large scale.
Even if you aren't legally required to have a DPO, it's still a good idea to appoint one, as a DPO can help to ensure that your organization prioritizes privacy rights. DPOs can also conduct data protection trainings for your organization, communicate with the IPO, and run regular security audits.
If you aren't legally required to have a DPO and decide not to appoint one, you should choose an individual who understands the UK GDPR requirements to deal with data protection complaints.
How to Inform Consumers About Their Right to File a Data Protection Complaint
One of the most effective ways to inform consumers of their rights (and let them know how you treat their personal data) is to maintain a Privacy Policy on your website and apps.
In order to comply with the UK GDPR you will need to inform consumers of their privacy and data protection rights, including the right to object to how their data is processed, and the rights to access, correct, or delete their personal data. You should also inform consumers how they can file a data protection complaint concerning these rights.
Your Privacy Policy should include the contact information for your DPO or whomever is responsible for dealing with your data protection complaints.
Tesco's Privacy Policy includes a How can I contact Tesco about my data? clause that gives users multiple ways to make a data protection complaint, including by phone, mail, and email, or via a contact form:
Next we'll look at what you need to do when you receive a data protection complaint.
What to Do When You Receive a Data Protection Complaint
The IPO created a six-step manual to guide organizations through the process of handling a data protection complaint. The steps are as follows:
1. Acknowledge the Complaint
When it comes to data protection complaints, communication is key. To properly acknowledge the complaint, you should:
- Respond to any data protection complaints you receive as soon as possible
- Explain the steps that you are taking to resolve the issue
- Include contact information for the person who is handling the case
- Let the individual know when they can expect to hear back from you
2. Research the Complaint
You should have an individual or a team in place who knows how to thoroughly investigate the complaint.
Don't be afraid to reach out to the individual who filed the complaint to ask questions about the complaint and learn more about the incident. The person who investigates the complaint should understand how to compare the data from the complaint with your organization's back end data.
3. Keep in Contact
Keep the individual who filed the complaint regularly updated on the progress of your investigation. You should let them know what steps you have taken so far, what you're focusing on now, and when they can expect to hear from you next.
4. Record Everything
It's important to keep track of all of the details surrounding the data protection complaint. Keep records of when the complaint was made, when you responded to it, each step you take to resolve the complaint, and all communication between you and the individual who filed the complaint.
5. Respond to the Complaint
Once you have thoroughly researched the complaint, you should reach out to the individual who filed the complaint and let them know what you have found. If you have discovered any issues with your data protection practices, you should let them know what steps you have taken to resolve those issues.
Your response needs to clearly address their complaint, and you should include supporting evidence of any actions you have taken to resolve it.
You will also need to let the individual know that they have the right to file a complaint with the ICO. Make sure to include your contact information so that they can get a hold of you with any further questions or concerns.
6. Review What Happened
Receiving a data protection complaint can show you where you need to make changes to your policies and procedures in order to prioritize the protection of users' personal data and build a brand that is valued for how you treat your users' privacy concerns.
Best Practices for Avoiding Data Protection Complaints
The best way to keep from having to deal with data protection complaints is to have good systems in place for protecting consumers' personal information. The following data protection best practices can help you to avoid data protection complaints:
- Give individuals all of their information when they make a subject access request (SAR)
- Keep the personal data you collect secure
- Take appropriate steps to ensure that the personal data you collect is accurate
- Don't share the personal information you collect with third parties unless absolutely necessary
- Make sure the marketing strategies you use are UK GDPR-compliant
- Erase or anonymize personal data as soon as you're done using it
- Inform individuals exactly what you do with their personal data
When it comes to processing and collecting personal data, the UK GDPR requires relevant organizations to abide by these basic principles:
Lawfulness, Fairness, and Transparency
This principle requires that you only collect and process personal data that is essential to the functioning of your organization. It requires you to use the personal data you process in a fair way, and to be honest with consumers about your reasons for collecting and processing their data.
Purpose Limitation
This principle requires you to clearly state the reasons that you are collecting or processing personal data, and to get consent from the individuals the data belongs to if you wish to use it for a different purpose in the future.
It also requires you to keep a record of your purposes, and to make sure that those purposes are made available to consumers in your privacy information.
Data Minimization
The data minimization principle requires you to limit the personal data you process to only that which is necessary to fulfill your purposes.
Accuracy
This principle requires you to take steps to ensure the accuracy of the data you collect, and to correct or delete any inaccurate data as soon as you discover it or are requested to change it.
Storage Limitation
The storage limitation principle requires you to only retain data for as long as you need it to fulfill your purposes, and to erase or anonymize data once you are done using it.
Integrity and Confidentiality
This principle requires you to take appropriate measures to keep the personal data you collect and process secure.
Accountability
This principle requires you to take accountability for how you handle the personal data that you collect and process. The UK GDPR requires organizations under its jurisdiction to abide by the concept of "data protection by design and by default," which means that your organization is legally required to implement privacy protection measures in every aspect of its structure.
Check out our article on Privacy By Design for more information.
It's important to be aware of the guiding principles of the UK GDPR, as together they inform how you should handle data protection complaints.
Summary
A data protection complaint is a complaint that an individual makes about any issues with accessing their personal information from your organization, or about how your organization handles their or others' personal information.
The UK GDPR is the UK's primary data protection law. Data processors and controllers that are based in the UK or that provide goods or services to residents of the UK are required to comply with the UK GDPR.
You should use your Privacy Policy to inform consumers of their privacy and data protection rights, and to let them know how to file a data protection complaint.
The person responsible for dealing with data protection complaints needs to thoroughly understand the UK GDPR and be able to communicate with the IPO. Many organizations use a DPO to handle their data protection complaints.
The IPO created a guide that shows organizations the appropriate way to respond to a data protection complaint.
Organizations that receive a data protection complaint should take the following steps:
- Acknowledge the complaint
- Investigate the complaint
- Keep the individual who filed the complaint regularly updated on the progress of the investigation
- Keep a record of the data protection complaint procedure
- Respond to the complaint
- Review what happened and make any necessary internal changes to help prevent complaints from happening in the future
To avoid receiving data protection complaints, you should follow data protection best practices. These practices include keeping the information you collect safe and erasing or anonymizing it once it has fulfilled its purpose, letting people know what you do with the information you collect, and using legal marketing techniques.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.
