What the ICO actually does when a small business gets a data complaint

The Information Commissioner's Office has a reputation that inspires a particular kind of dread in small business owners. Mention a data complaint and people immediately picture six-figure fines and front-page headlines. The reality, for the vast majority of small organisations, is considerably less dramatic.

Understanding what the ICO actually does and what it doesn't do is genuinely useful. It helps you to respond proportionately when something goes wrong, and it helps you to focus your compliance efforts on what actually matters.

How complaints reach the ICO

The ICO receives complaints in two main ways. The first is directly from individuals who feel their data rights have been violated. Someone who made a subject access request that wasn't fulfilled, for example, or somone who asked to be removed from a mailing list and wasn't.

The second path is through mandatory breach reports. If you experience a personal data breach that's likely to result in a risk to individuals' rights and freedoms, you're legally required to report it to the ICO within 72 hours of becoming aware of it.

In both cases, the ICO's first step is to assess whether it's worth investigating further.

What the ICO does with most complaints

Here is something that surprises many people: the ICO resolves the majority of complaints without any formal enforcement action.

When someone complains to the ICO about a small organisation, the typical process is:

1. The ICO contacts the organisation to explain the complaint and ask for their response
2. The organisation explains what happened and what they've done about it
3. The ICO decides whether the response is adequate

If you've handled the situation reasonably then there is no reason to be worried. If you acknowledged the complaint, explained what went wrong and have taken steps to fix it, the ICO will usually close the case at that point. They're not primarily a punitive body; they're trying to improve data protection practices across the economy.

The headline fines you read about (the British Airways £20 million fine or the Marriott £18.4 million fine for instance) involve large organisations with large-scale, systematic failures. The ICO's enforcement priorities reflect that.

When the ICO does get serious

That said, certain things do attract more serious attention:

Ignoring a subject access request. You have one month to respond. If someone complains to the ICO that you've ignored their SAR, and you then also ignore the ICO's enquiry, you're creating a much worse situation than the original complaint.

Mandatory breach reports you didn't make. If it becomes apparent that you had a notifiable breach and didn't report it, that's treated more seriously than the breach itself in many cases.

Repeat issues. A single complaint about a data handling mistake is treated very differently from a pattern of similar complaints.

Deliberate violations. Using data in ways that are clearly contrary to what people were told when it was collected, or buying marketing lists and treating them as opted-in, are the kinds of things that result in substantial fines.

What you should do if you receive a complaint

First, don't panic. Read the complaint carefully and understand what's actually being alleged.

If someone complains to you directly (before going to the ICO), take it seriously. Acknowledge it promptly, investigate, and respond within the statutory timeframe. If you've made a mistake, say so clearly and explain what you're doing to prevent it happening again. Most people making complaints want to feel heard and want confidence that their data is being handled properly. A genuine, human response often resolves things without escalation.

If the ICO contacts you directly, respond honestly and promptly. The ICO's enquiry letter will explain what they're looking into and what they want from you. Answer the questions. Don't be defensive or evasive. It makes things worse.

If you've had a breach that might be notifiable, err on the side of reporting. An unnecessary report does you no harm. A missed mandatory report that comes to light later is significantly more damaging.

The most useful thing you can do right now

The organisations that handle ICO complaints most smoothly are the ones that can show they were taking data protection seriously before anything went wrong. That means:

• A record of processing activities (the GDPR requires this for most organisations)
• A documented response to any previous breaches or near-misses
• Evidence that staff received appropriate training
• A privacy notice that accurately reflects what you actually do with data

None of this is bureaucratic box-ticking. It's evidence that your organisation treats data protection as a genuine responsibility rather than an inconvenience. That evidence is exactly what the ICO looks at when deciding how to respond to a complaint about you.

If you're not sure whether your current practices would stand up to that scrutiny, a data protection audit is a good place to start. We do straightforward, practical audits for small organisations. Let us know - we're happy to help!