SponsoredBuild your website with Vincony

Disclaimer: This is not legal advice. Legislation and case law change. Always consult a qualified solicitor for your specific situation.

UK Law Reference
Courts & Tribunals Directory
regulator
Data protection regulator
UK-wide

Information Commissioner's Office (ICO)

UK regulator for data protection and freedom of information โ€” handles complaints, takes enforcement action, and issues fines for breaches.

Overview

The Information Commissioner's Office is the UK's independent regulator for data protection (UK GDPR and Data Protection Act 2018), freedom of information (FOIA 2000), and the Privacy and Electronic Communications Regulations 2003. It receives data subject complaints, investigates breaches, issues monetary penalties (up to ยฃ17.5 million or 4% of global turnover under UK GDPR), and provides guidance to organisations.

What it handles

  • Complaints about how organisations handle personal data
  • Subject access request (DSAR) non-compliance complaints
  • Right to erasure / rectification / objection refusals
  • Data breach notifications from organisations and individuals
  • Direct marketing complaints (PECR)
  • Freedom of Information Act complaints against public bodies
  • Environmental Information Regulations complaints

What it does not handle

  • Compensation claims for distress (claim in the County Court or High Court under s.168 DPA 2018)
  • Commercial disputes about data (Information Tribunal or civil courts)

Deadlines

  • Organisation's final response โ†’ 3 months to complain to the ICO
  • ICO 'no further action' decision โ†’ 28 days to appeal to First-tier Tribunal (Information Rights)

Process

  1. Step 1: Complain to the organisation first

    The ICO normally expects you to give the controller a chance to respond before escalating.

  2. Step 2: Submit complaint to ICO

    Use the online form with copies of correspondence and the alleged breach.

  3. Step 3: Investigation

    ICO assesses, may ask both parties for information, and decides whether the controller's actions were compliant.

  4. Step 4: Outcome

    Closure letter, formal warning, reprimand, enforcement notice, or penalty notice depending on severity.

Appeals

First-tier Tribunal (General Regulatory Chamber, Information Rights).

Official sources

https://ico.org.uk

Related guides

Last reviewed: 2026-05-21. This is legal information, not legal advice.