white seddons gsc logo
+44 (0) 20 7725 8000
white seddons gsc logo

Data Protection Complaints Handling Process

1. Purpose

To ensure all data protection complaints are handled promptly, consistently, and in
compliance with UK data protection law, including:
1.1 UK GDPR principles (lawfulness, fairness, transparency, accountability)
1.2 Data Protection Act 2018
1.3 Emerging obligations under the Data (Use and Access) Act (enhanced governance, access
rights, and oversight)

2. Scope

This process applies to:
2.1 All complaints from data subjects relating to personal data processing
2.2 Concerns raised by clients, employees, counterparties, or third parties
2.3 Complaints relating to:
2.3.1 Access rights (DSARs)
2.3.2 Accuracy or rectification
2.3.3 Erasure requests
2.3.4 Lawful basis concerns
2.3.5 Data sharing or misuse
2.3.6 Security incidents or confidentiality breaches

3. Definitions

Complaint: Any expression of dissatisfaction regarding how personal data has been handled
as defined in the Data (Use and Access) Act 2025
Data Subject: Identified or identifiable individual whose personal data is processed.

4 Roles and Responsibilities

5. Process Steps

5.1 Receipt of Complaint
5.1.1 Complaints may be received via:
5.1.2 Email, letter, phone, by social media or in person
5.1.3 Any staff member receiving a complaint must:
5.1.4 Escalate to Compliance within 1 working day

5.2 Acknowledgment
We will Send acknowledgment within 30 days

5.3 Initial Assessment
Determine:
5.3.1 Whether the issue is:
(a) A data protection complaint
(b) A request under data subject rights (e.g. DSAR)
(c) A potential personal data breach
5.3.2 Whether urgent interim action is required
5.3.3 Whether legal privilege or exemptions apply

5.4 Investigation
When conducting the investigation, we will:
5.4.1 Gather relevant evidence:
(a) Systems, files, emails
(b) Data processing records (ROPA)
(c) Staff accounts
5.4.2 Engage relevant teams where needed
5.4.3 Assess:
(a) Lawful basis
(b) Compliance with data protection principles
(c) Adequacy of safeguards
5.4.4 Maintain clear audit trail

5.5 Risk & Impact Assessment
Consider:
5.5.1 Harm or distress to the individual
5.5.2 Sensitivity of data (e.g. special category data)
5.5.3 Systemic issues or control failures
5.5.4 Regulatory exposure

5.6 Response Preparation
We will endeavour to provide responses that:
5.6.1 are clear, concise, and transparent
5.6.2 Address each issue raised
5.6.3 Include:
(a) Findings of the investigation
(b) Whether the complaint is upheld / partially upheld / not upheld
(c) Remedial actions taken (if any)

5.7 Outcome and Remediation
Where a complaint is upheld we will:
5.7.1 take corrective action, such as:
(a) Rectification or erasure
(b) Restriction of processing
(c) Process improvement measures
(d) Staff training
5.7.2 Consider whether it constitutes a reportable breach

5.8 Response Timeframe
Where possible we aim to investigate and provide outcome within 30 days but in any event
without unjustifiable or excessive delay.

5.9 ICO Engagement
We will:
5.9.1 Inform complainant of right to complain to the ICO
5.9.2 Cooperate fully with ICO investigations if escalated

5.10 Closure and Record Keeping
We will keep records of:
5.10.1 Final outcome
5.10.2 Actions taken
5.10.3 Lessons learned
5.10.4 Retain records in compliance with our records retention policy.

6. Monitoring and Reporting

We will:
6.1.1 Maintain a central register of data protection complaints
6.1.2 Conduct periodic reviews to identify:
(a) Trends or recurring issues
(b) Training needs
(c) Systemic risks
6.1.3 Report to senior management periodically

7. Integration with Data Governance

We will ensure alignment with:
7.1.1 DSAR handling procedures
7.1.2 Breach notification procedures
7.1.3 Record of Processing Activities (ROPA)
7.1.4 Risk and compliance reporting