Data Protection Ombudsman Could Relieve Pressure on the ICO, Paper Argues
The U.K. ICO, which is swamped with privacy complaints and is consulting on a way to change its approach to handling them, could benefit from a data protection ombudsman, Birdie Data Protection Officer Henry Davies wrote in an article posted Monday on LinkedIn.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Last year, more than 42,000 complaints were filed with the ICO, a number expected to rise to 55,000 in 2026, Davies said. The ICO has long admitted that it's struggling to respond "and often provides only a cursory review and a generic outcome letter for many complaints," Davies wrote.
That light-touch approach may help the DPA get through the massive number of complaints, but it often leaves complainants dissatisfied and undermines confidence in the system, he wrote. It's also frustrating for data controllers, who often get standard letters from the DPA without the office having even spoken to them, he added.
The government "could throw more money at the problem," but the ICO is already one of the best-funded DPAs in Europe, and additional funds won't solve the problem in the long run, Davies said. Nor will revamping the framework for handling complaints, which Davies compared to "repainting a crumbling facade."
He proposed creating a data protection ombudsman service (DPOS) that's independent of the ICO and could investigate and adjudicate thoroughly, free from changes in regulatory and government priorities. It would resolve only those disputes between data subjects and controllers and would have the power to order corrective actions, such as compelling a controller to delete records or pay compensation.
The DPOS could be structured like existing ombudsmen, such as the Financial Ombudsman Service (FOS), with free access for complainants and mandatory participation by data controllers, Davies said.
A DPOS may not be the answer, and in the U.K.'s regulatory landscape, it's "a remote prospect," Davies wrote. But even if the proposal is unlikely, it's still worth putting on the table, he added.
Davies hasn't found an equivalent data protection ombudsman service elsewhere, but that doesn't mean there aren't any, he told us in an email. "The Finnish regulator calls itself an 'ombudsman', but it functions as any other supervisory authority -- and it, like the ICO, lacks that crucial power ... to issue a binding order on a controller to compensate a data subject."