How to ensure compliancy with the new data protection complaints requirement
New legal requirements for how organisations – including charities – handle data protection complaints came into force on 19 June, under the Data (Use & Access) Bill.
While many charities were likely already doing the following as a matter of best practice, if you work with or hold public data, it’s now a legal obligation to provide clear ways for people to make a complaint if they’re unhappy with how their personal information is handled.
There’s also greater onus on timeliness, requiring complaints to be acknowledged and followed up on without undue delay.
In addition, it’s important to note that complaints must now be made to the organisation first, rather than to the ICO. The ICO will no longer accept a complaint unless the relevant organisation has already been contacted about it, and it will then require evidence of the process and conversation you’ve had with a complainant before it will get involved.
If you’re wondering where to start to ensure compliancy, here are 5 key steps:
· Train your team – Make sure staff understand the new complaints process, can recognise complaints, and know how to respond. This should all be included in your internal data protection training.
· Review your process – Check people can easily submit complaints through clear, accessible channels. Be aware though that complaints may come in by other means, such as social media.
· Respond promptly – Acknowledge complaints within the legal requirement of 30 days and investigate without delay. Ensure too that you keep records, update complainants, explain outcomes, and signpost the ICO if needed.
· Work with partners – Make sure any joint controllers and processors understand their responsibilities for handling and escalating complaints. Joint controllers need to have a process in place while processors (where relevant) must send to you any complaints received and help with the complaints process.
· Be transparent – Tell people how to complain when collecting their personal data, explain the process in your privacy notice and on your website, and provide clear expectations about what happens next.
And of course, read up on the new legal requirements. This blog is a summary of a more in-depth article on this topic written by our founder and MD Suzanne Lewis for the Chartered Institute of Fundraising. If you’re a member, you can read it here. Another must-read is the ICO’s guidance on ensuring compliance, which is available here.