Step 13: Have a Complaints Process
Contents
- Introduction
- Step 1: What do I need to know about data protection?
- Step 2: Who is responsible for what?
- Step 3: Appointing a Data Lead
- Step 4: Understanding data subjects' rights
- Step 5: Gathering data
- Step 6: Data discovery
- Step 7: Keep a record
- Step 8: Check your security
- Step 9: Third parties
- Step 10: Publish your privacy stance
- Step 11: Delete and destroy
- Step 12: Responding to a breach
- Step 13: Have a Complaints Process
Step 13: Have a Complaints Process
Following the implementation of the Data (Use and Access) Act this toolkit is under review and will be updated over the coming months. For more information about the Data (Use and Access) Act please see the ICO guidance.
From 19 June 2026 all organisations are required to have a process in place for handling data protection complaints.
Data protection complaints can happen when someone is unhappy with how their data has been used, how long it has been kept, its accuracy, how securely it has been stored, or how their rights requests (such as subject access requests) have been handled. They may also complain if they have been affected by a data breach.
Complaints could come from parents, young people, adult members and anyone else whose data has been processed by your Scout Unit.
Below we run through how to manage data protection complaints.
Provide a clear way for people to complain
You must give individuals a straightforward way to raise data protection concerns directly with your Scout Unit. You should also tell people they can raise a complaint, and a good way to do this is to include it in your Data Protection Policy and your website.
You should provide a dedicated email address or contact point alongside a simple explanation of what information they should provide. This should be easily accessible so people know how they can raise a data protection complaint. Data protection complaints can be from adults or from young people, and so any mechanisms you have should be suitable for all.
What to do if you receive a data protection complaint
1 Acknowledge the complaint
When a complaint is received you should acknowledge it promptly. The law says it should be acknowledged within 30 days but you should plan to acknowledge it much sooner than that. You will need to confirm the complainant’s identity. If you have any doubts, you should ask them for proof of ID. If someone is making a complaint on behalf of someone else you should check that they have the authority to do so.
2 Investigate
You need to ensure the correct people are aware of the complaint, and are allocated to investigate. In most cases this will be Lead Volunteer or Data Lead. You should also ensure the Trustee Board are made aware. You should be sensitive to who the complaint is about, and who is involved or connected to those involved.
Where a data protection complaint also includes other matters of complaint, consideration should be given as to whether to investigate them together or to separate them.
Your investigation should be proportionate and timely. This should include a review of the data processing involved, and whether it was done in line with your policies and data protection law. If you determine that there has been a problem, then you should consider the volume and type of data involved, and the level of risk associated with it. If you believe that there has been a data breach you should follow Step 12: Responding to a breach.
3. Keep the complainant updated
The complainant should be kept informed of the progress of the investigation. They should be given a timescale in which you will respond. We recommend responding to complaints within one calendar month, or if it is complex you can extend by a further two months. Where there are delays you should ensure you keep the complainant informed.
4. Keep a record
You should keep a record of all data protection complaints. This should include the date it was received, when you acknowledged it and responded to it. You should also retain records of communication and any actions taken. It is possible that the Information Commissioner could request to see your complaint log. Something like an excel spreadsheet is an ideal tool for a complaint log. The log must be stored securely and access only given to those who need it.
5. Respond to the Complaint
The most common route for responding to a complaint is via email, though they can also be responded to via a letter or a conversation. The response should include:
- An explanation of your findings
- Any actions you have taken or will take
- Details of how you have complied with data protection law
- Details of how to complain to the Information Commissioners Office
If a complaint is from a young person you should respond in plain, clear language they can understand.
5. Learn from complaints
Complaints are an opportunity to improve. After closing a complaint, you should look to see if there is any learning to be had from it. This might include updating processes or policies, providing further training or reminding volunteers about best practice. Learning should be recorded in your complaint log.
Further guidance on managing data protection complaints can be found on the ICO website.