ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloads
Rising workloads and a shortage of staff means it's missing its targets - and things may get worse before they get better


The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
In the last quarter of 2024, the Information Commissioner’s Office (ICO) responded to just 12% of complaints within 90 days, figures show, well down on its 80% target.
The figure was 65% at the beginning of last year, and has been dropping steadily since the fourth quarter of 2023, when it was 88%.
"Anyone who has felt the need to make a complaint to us deserves a timely response. Our current response times are not where we want them to be, and we know how frustrating this is for people who are asking for our help," said a spokesperson.
"We want to thank people for their patience while we address this issue. Our frontline staff continue to work hard to respond to all complaints and we are confident that our approach will bring about the necessary improvements. Please be assured that we continue to triage cases and prioritize those that urgently need attention."
A key factor in sluggish response rates were rising workloads, according to the ICO. The data protection watchdog said it received more than 10,000 complaints in the final quarter of 2024 - 746 more than in the same period a year earlier.
To deal with the backlog, it's recruiting another 19 staff. The watchdog also revealed it’s testing automated tools aimed at simplifying or speeding up various administrative tasks, allowing case officers to spend more time on the complaint itself.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
However, it warned, things are likely to get worse before they get better.
ICO woes reflected across Europe
Data protection authorities across Europe are facing a similar rise in workloads as the number of complaints skyrockets. Research from the EU Agency for Fundamental Rights last summer concluded they've been facing an ever-mounting workload since the introduction of the GDPR, with limited staff and inadequate funding. Much of this workload comes from minor complaints.
Dr Ilia Kolochenko, CEO at ImmuniWeb and a fellow at the British Computer Society (BCS), said these issues highlight the fact that some operational aspects of the legislation “were not properly designed”.
“National DPAs are frequently understaffed and underfunded, but flooded with the ballooning number of complaints," Kolochenko commented.
This, he added, means the authorities are forced to prioritize major cases and that taking minor cases to court is often just a waste of money. This then results in organizations adopting lax approaches to compliance.
"In order to ensure a consistent, invariable and equitable investigation and remediation of data protection violations, both EU states and the UK should consider allocating additional funds to their national DPAs to be commensurable with the volume and complexity of incoming complaints," he said.
"Otherwise, toothless enforcement regimes merely invite more violations of data protection law."
MORE FROM ITPRO
- NHS supplier hit with £3m fine for security failings that led to attack
- Information Commissioner John Edwards calls on firms to beef up support for data breach victims
- ICO threatens enforcement action against websites with 'harmful' cookie banners
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapers
News While not malicious, the bots can overwhelm web applications in a way similar to bad actors
By Jane McCallion Published
-
Does speech recognition have a future in business tech?
Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
By Jonathan Weinberg Published
-
“Limited resources” scupper ICO probe into EasyJet breach
News The decision to drop the probe has been described as “deeply concerning” by security practitioners
By Ross Kelly Published
-
Surge in workplace monitoring prompts new ICO guidelines on employee privacy
News Detailed guidance on how to implement workplace monitoring could prevent data protection blunders
By Ross Kelly Published
-
TikTok could be hit with £27m fine for failing to protect children's privacy
News Social media firm issued with a notice from the ICO for potential violations of UK data protection laws
By Bobby Hellard Published
-
What is AdTech and why is it at the heart of a regulation storm?
In-depth The UK data regulator has come under heavy fire for consistently delaying much-needed action, privacy groups say
By Carly Page Published
-
ICO crackdown on AI recruitment part of three-year vision to save businesses £100 million
News ICO25 outlines a fresh approach that involves releasing learning materials, advice, and a new ICO-moderated discussion forum for businesses
By Connor Jones Published
-
Clearview AI fined £7.5m over improper use of UK data
News Australian facial recognition firm collected 20 billion images from the internet without consent in order to build its database
By Bobby Hellard Published
-
UK data watchdog cut IT spending by £1.2 million during pandemic
News The ICO’s IT budget has been slashed by around 23% since 2019
By Sabina Weston Published
-
Data for 120 army recruits found on the dark web
News The website, run jointly with Capita, has been offline since mid-March as MoD assesses the scope of the breach
By Bobby Hellard Published