Blog details

Dealing with Data Protection Complaints as a Small Business

Dealing with Data Protection Complaints as a Small Business

The ICO has published a guide for businesses on dealing with data protection complaints.


At times, simply  having data protection policies in place is not enough. Handling the data of customers, employees, and contractors can be a sensitive process and must be handled as such. There are times when businesses may experience data breaches or may receive data protection complaints or queries from customers. The way these situations are handled can make a major difference in not just compliance to data protection law, but also customer relations. The ICO recently released guidelines and best practices for small businesses in handling customer complaints regarding data protection. 


It is important to make initial contact with the customer to gather more details. 


Acknowledging the customer’s complaint is the first step toward rectifying and solving the issue. You also need to check whether the complaint comes from the appropriate person. If a complaint is being made by a third party, it is important to confirm that the complainant is authorized to receive information on how that person’s data is handled. thereafter, the business moves to the step of rectifying what went wrong. Speaking to the complainant is crucial, as it will aid in obtaining as much pertinent information as possible. As a small business owner, you are responsible for gathering as much information as possible to resolve the issue. If a customer informs you that they will be making a complaint with the ICO, there is no need to contact the ICO as they will be in contact with you if they need any additional information. 


Businesses can build trust by giving regular updates to customers.


Some investigations take time. However, it would be an excellent start to update the customer on the issue as much as possible. Inform the customer that you are working on the issue, and of the steps that you are taking in that regard.  Inform them that the business will be in touch with a solution as soon as possible. Keeping your customers informed will help you build trust – that’s the best way to maintain a trustworthy and successful business. Furthermore, if the customer is kept well informed, they will know what to expect.It is important to never let the customer be in an unsure position – they deserve to know the next steps. 


All actions should be recorded and the business should respond to the customer’s complaint offering a possible solution.


The ICO advises that a record of all action steps be kept. Keep a record of the date the complaint was received, and the date by which the customer needs to receive a response. All conversation copies need to be recorded as this may be cross-checked by higher authorities at some point. Explain to the customer the steps you have taken to resolve the issue. The customer must understand what led you to make a specific decision. The ICO advises businesses to make a bullet-point list of the complaints and respond to each point. It would help to also let the complainant know they have full freedom to reach out to the ICO and complain. Ensure that  the language used is clear and concise, and that the message reaches them. 


The ICO advises businesses to perform a review in order to implement necessary changes in its approach. 


Once a reply has been sent to the complainant and the ticket has been closed, it is time to assess the situation and come up with different ways it could have been handled. Based on the circumstances of the complaint as well as the process of handling it, small businesses are advised to draw from the records kept and use them to improve and better handle future situations. If you have seen a lot of complaints and they are similar, then you must bring a change in your approach and make a difference. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Prev post
Czech EU Presidency proposes new data law on government access
September 1, 2022
Next post
ICO marks the anniversary of the Children’s Code
September 8, 2022

Leave a Comment