The key ICO complaints statistics in one place — how many data protection complaints the UK regulator receives, how long it takes to respond, what the outcomes are, which sectors attract the most complaints, and what the new statutory complaints duty that took effect in June 2026 means, with the data period stated next to every figure.
Anyone in the UK can complain to the Information Commissioner's Office (ICO) about how an organisation has handled their personal data — and the numbers behind those complaints are all public, but scattered between two official releases: the ICO Annual Report published each July and the ICO's quarterly data protection complaints datasets, published as raw CSV files. This page brings the headline figures from both together, alongside the new complaints rules introduced by the Data (Use and Access) Act 2025.
It is scoped to public complaints and how the ICO handles them. Complaints are a different series from the personal data breach reports organisations submit about themselves — tracked on our data breach statistics page — and from enforcement outcomes such as fines and reprimands, which our GDPR fines statistics page covers. Every figure below carries its data period, and every source is linked in full at the end.
Key facts and figures
- 42,315 data protection complaints were received by the ICO in 2024/25 — up 6.5% from 39,721 in 2023/24.
- 45,000–55,000 complaints a year is the ICO's own forecast if the current growth continues.
- 70% of complaints in 2024/25 were not assessed and responded to within the ICO's 90-day target — up from 15.2% a year earlier.
- 15,810 complaints were open at the end of 2024/25 — a 72% rise on the 9,168 open a year before.
- 8,646 complaint cases were completed by the ICO in Q3 2025/26 (October–December 2025).
- 43% of those completed cases cited the right of access — the single biggest complaint driver.
- 6,050 of the 8,646 cases completed in Q3 2025/26 — 70% — ended in no further action.
- 30 days is the new statutory deadline for organisations to acknowledge a data protection complaint, in force since 19 June 2026.
These are the latest figures available as of July 2026 — the main refreshes are the ICO's quarterly data protection complaints dataset and the ICO Annual Report published each July, with the 2025/26 edition of the Annual Report due around July 2026.
How many complaints does the ICO receive each year?
The ICO received 42,315 data protection complaints in 2024/25 — up 6.5% from 39,721 in 2023/24, according to the ICO Annual Report and Financial Statements 2024/25, published in July 2025. Against that intake, the regulator issued 36,196 complaint outcome decisions in 2024/25 (up from 35,332 the year before) — decisions are not keeping pace with demand, which is why the open caseload keeps growing.
The trend is firmly upward, and the ICO expects it to continue: in its August 2025 consultation on complaints handling, the regulator forecast that annual complaint volumes could reach 45,000–55,000 if the current trajectory holds.
| Measure | 2023/24 | 2024/25 | Change |
|---|---|---|---|
| Data protection complaints received | 39,721 | 42,315 | +6.5% |
| Complaint outcome decisions issued | 35,332 | 36,196 | +2.4% |
| Complaints not assessed and responded to within 90 days | 15.2% | 70% | +54.8 points |
| Open complaints at year end | 9,168 | 15,810 | +72% |
All four rows come from the ICO Annual Report 2024/25. One footnote on the headline number: the ICO's own August 2025 consultation paper cites 42,881 complaints for the same year — a slightly different internal count. The 42,315 figure from the audited Annual Report is the safer number to quote.
A quick note on what this series is not. Complaints from the public are separate from the self-reported personal data breach notifications organisations must file with the ICO — those volumes and sector breakdowns are tracked on our data breach statistics page. And a complaint is not an enforcement action: fines, reprimands and enforcement notices are counted on our GDPR fines statistics page.
How long does the ICO take to respond to a complaint?
In 2024/25, 70% of complaints were not assessed and responded to within the ICO's 90-day target — a dramatic collapse from a 15.2% miss rate in 2023/24, and set against the regulator's published pledge to answer 80% of complaints within 90 days (ICO Annual Report 2024/25).
The backlog tells the same story. Open complaint cases rose 72% in a single year, from 9,168 at the end of 2023/24 to 15,810 at the end of 2024/25 (ICO Annual Report 2024/25). With intake running roughly 6,000 cases a year ahead of decisions, the queue compounds.
The practical effect on complainants has been documented by the Inforrm blog: by October 2025, the ICO's own automated emails were telling new complainants that a case would take around 29 weeks — roughly 203 days — just to be assigned to a case officer, before any substantive assessment began.
This handling crisis is the direct backdrop to the ICO's August 2025 consultation on a new complaints framework, covered below — the regulator's stated aim is to focus its resource on the complaints that indicate the most serious harm.
What are the most common outcomes of an ICO complaint?
70% of the complaint cases the ICO completed in Q3 2025/26 — 6,050 of 8,646 — ended in "no further action"; the remaining 30% (2,596 cases) ended with "informal action taken", according to the ICO's quarterly data protection complaints dataset for October–December 2025.
Two things follow from that split. First, the most likely outcome of complaining to the ICO is a decision that no further action is needed — typically because the organisation has already put things right, because no infringement is found, or because the matter does not warrant regulatory intervention. Second, even where the ICO does act on a complaint, the action is overwhelmingly informal: advice and recommendations to the organisation rather than formal enforcement. Complaint casework that escalates into fines, reprimands or enforcement notices is a separate, much smaller track — our GDPR fines statistics page counts those outcomes.
Completed-case volume gives a sense of current throughput: the ICO completed 8,646 complaint cases in Q3 2025/26 (October–December 2025), down from 9,361 in Q2 (July–September 2025) — both figures computed from the ICO's raw quarterly CSVs, which list every completed case with its reason, sector and decision.
What do people complain to the ICO about?
The right of access is the single biggest driver of ICO complaints: 3,748 of the 8,646 cases completed in Q3 2025/26 — 43% — cited Article 15, the UK GDPR right to obtain a copy of your personal data, including the Article 15(3) copy provision (ICO quarterly complaints dataset, October–December 2025).
That single category outweighs every other complaint reason by a wide margin, and it reflects how often organisations mishandle subject access requests — late responses, incomplete disclosures or no response at all. The full picture on subject access volumes, deadlines and failure rates sits on our subject access request statistics page; for what the right actually entitles people to, see our guide to individual rights under GDPR.
Which sectors are most complained about?
Finance, insurance and credit topped the sector league with 1,155 completed complaint cases in Q3 2025/26, ahead of health (910), online technology and telecoms (889) and local government (814), per the ICO's quarterly complaints dataset for October–December 2025.
| Rank | Sector | Completed complaint cases (Q3 2025/26) | Share of all 8,646 cases |
|---|---|---|---|
| 1 | Finance, insurance & credit | 1,155 | 13% |
| 2 | Health | 910 | 11% |
| 3 | Online technology & telecoms | 889 | 10% |
| 4 | Local government | 814 | 9% |
Between them, these four sectors account for roughly 44% of all completed complaint cases in the quarter. The pattern makes intuitive sense: all four hold large volumes of sensitive personal data, handle high-stakes individual relationships — money, medical records, accounts, housing and benefits — and receive heavy flows of subject access requests, the complaint driver that dominates the reason table above.
What changed on 19 June 2026? The new complaints duty
From 19 June 2026, every UK controller must offer people a way to complain about how their personal data has been handled — including an electronic complaints form — and must acknowledge each complaint within 30 days, under section 164A of the Data Protection Act 2018, inserted by section 103 of the Data (Use and Access) Act 2025.
The DUAA received Royal Assent on 19 June 2025, and the complaints duty came into force exactly one year later. To help organisations prepare, the ICO published dedicated guidance — How to deal with data protection complaints — on 12 February 2026, and is updating it as the new regime beds in.
The policy intent is plain: with the regulator's own queue stretching to months, the new duty pushes first-line resolution back onto organisations, so that fewer disputes need to reach the ICO at all. For organisations, that means a visible complaints route, a working acknowledgement process, and front-line staff who can recognise a data protection complaint when it arrives — a training point as much as a process one.
How is the ICO planning to change complaint handling?
Between August and 31 October 2025, the ICO consulted on a new complaints-handling framework designed to manage demand it says could reach 45,000–55,000 complaints a year. Under the proposed framework, the ICO could decline to investigate individual complaints below set thresholds — the published examples include six complaints about the same organisation within two months, or a 50% month-on-month rise in complaints about an organisation (ICO consultation, August 2025).
The proposals drew immediate scrutiny. Analysis published on the Inforrm blog questioned whether threshold-based triage sits comfortably with complainants' statutory right to have their complaint dealt with, while coverage in the legal press framed the consultation as a direct response to the volumes and backlog set out above. The consultation closed on 31 October 2025 and the ICO's outcome is expected during 2026 — when it lands, it is likely to reshape both the complaint statistics on this page and what complainants can expect from the process.
Frequently asked questions
How many complaints does the ICO receive each year?
42,315 data protection complaints in 2024/25, up 6.5% from 39,721 in 2023/24, per the ICO Annual Report 2024/25. The ICO forecasts volumes of 45,000–55,000 a year if the current trend continues.
How long does the ICO take to respond to a data protection complaint?
The ICO's published target is to assess and respond to 80% of complaints within 90 days. In 2024/25 it missed that window on 70% of complaints, and by October 2025 its automated emails were quoting around 29 weeks (roughly 203 days) just for a complaint to be assigned to a case officer.
What are the most common outcomes when you complain to the ICO?
In Q3 2025/26, 70% of completed complaint cases ended in "no further action" and 30% in "informal action taken" — advice or recommendations to the organisation rather than formal enforcement. Fines and reprimands arising from complaints are rare, and are tracked separately on our GDPR fines statistics page.
Do you have to complain to the organisation before going to the ICO?
The ICO has long expected complainants to raise the issue with the organisation first and give it a chance to respond. Since 19 June 2026 that expectation has statutory backing: under section 164A of the Data Protection Act 2018, every controller must provide a complaints route — including an electronic form — and acknowledge complaints within 30 days.
What do people complain to the ICO about most?
The right of access. 43% of the complaint cases the ICO completed in Q3 2025/26 — 3,748 of 8,646 — cited Article 15. Our subject access request statistics page has the detailed breakdown.
Related guides
- Subject access request statistics UK: volumes, deadlines and complaints
- GDPR Fines UK: ICO Fine & Enforcement Statistics
- Data Breach Statistics UK: ICO Reports, Trends & Costs
- Individual rights under GDPR: a complete guide to data subject rights
- GDPR fines and penalties in the UK: how big, who pays, what counts
Sources & references
- Information Commissioner's Office — Annual Report and Financial Statements 2024/25 (July 2025)
- Information Commissioner's Office — Data protection complaints datasets (quarterly, latest Q3 2025/26)
- Information Commissioner's Office — Consultation on draft changes to how we handle data protection complaints (August 2025)
- Information Commissioner's Office — How to deal with data protection complaints (guidance, February 2026)
- Data (Use and Access) Act 2025, section 103 — legislation.gov.uk
- Inforrm / David Erdos — The UK Information Commissioner's Annual Report 2024–25 (July 2025)
- Inforrm / David Erdos — Cause for Complaint: assessing the ICO's proposed new approach to data protection complaints (October 2025)
- Lewis Silkin — Data, Decisions, and a New Direction: the ICO's 2024–25 Annual Report in Focus (August 2025)
- Local Government Lawyer — Rising demand sees ICO consult on changes to its handling of data protection complaints (September 2025)
Most ICO complaints start with an everyday handling failure — train your team to deal with personal data and data protection complaints properly under UK GDPR.
Explore the GDPR & Data Protection Course →