Organisations have a duty to protect your personal data. And failing to meet these responsibilities can be damaging and costly.
Cyber attacks targeting intellectual property and knowledge assets are estimated to cost the UK up to £8.5 billion a year in business losses.
So, it’s critical that organisations comply with regulatory requirements and put the necessary measures in place to reduce the risk of unauthorised access personal information.
But which industries are most likely to receive data privacy complaints? And how can you strengthen your data privacy efforts to avoid costly fines and disruption?
What is a Data Privacy Complaint?
A data privacy complaint is raised with the Information Commissioner’s Office (ICO) by someone who believes their personal information has been mishandled or leaked by an organisation.
This might be due to non-compliance with data protection laws or even as a result of a cyber security breach.
A Growing Trend
Bridewell analysed the latest ICO data available on the number of complaints registered by members of the public against organisations – revealing which industries are most likely to be accused of failing their data protection responsibilities.
The research analyses complaints made between October 2023 and September 2024 and between October 2024 and September 2025.
UK Industries with the Highest Number of Data Privacy Complaints
The finance, insurance and credit sector received the highest number of complaints in both years.
The industry recorded 4,630 complaints between October 2024 and September 2025 – a 5% increase on the 4,422 complaints made to the ICO between October 2023 and September 2024.
This worrying number of complaints highlights the continued pressure on organisations that process large volumes of sensitive financial data.
The health sector ranked second for complaint volumes, with cases increasing to 4,082 year-on-year (from 3,903). This trend reflects the complex data protection challenges faced by healthcare providers and related organisations managing highly sensitive personal information.
‘Sectors with the highest number of complaints’
A Rising Problem for Retail
Despite the finance sector receiving the highest total number of complaints, the retail and manufacturing sectors saw the sharpest year-on-year increase.
Complaints against retail and manufacturing organisations rose 12% - from 2,421 between October 2023 and September 2024 to 2,714 between October 2024 and September 2025.
It’s unsurprising that the retail industry is a key target for cyber attacks, with the vast amount of customer data held and the growing risk surface across different shopping and payment software and apps.
And as customers become more aware of the risks and rights over their personal data, we’re likely to see this trend continue.
Earlier this year, the ICO successfully upheld a £500,000 fine against DSG Retail Limited for failing to protect over 14 million people’s data in a cyber attack. As these stories continue to hit the headlines, it empowers more consumers to take action when their personal information is compromised.
Increasing Risk, Decreasing Action?
While they can result in damaging fines for some businesses, not every data privacy complaint leads to a penalty. And in some cases, no further action is taken at all.
Despite a rise in total year-on-year complaints, our analysis identified a 22% drop in cases resulting in informal action responses. There was also a 14% increase in investigations concluding with ‘No Further Action’.
‘Sectors with the biggest and smallest increase in complaints with 'No Further Action' taken between 2024 – 2025’
What Does ‘No Further Action’ Mean?
If the ICO believes no data protection laws have been broken, they might decide to take ‘no further action’ on a complaint. This means they won’t take formal regulatory action against the accused organisation, like issuing enforcement measures or penalty fines.
This might also be the case where the complaint falls outside of the ICO’s remit, or for other reasons, such as if the person making the complaint hasn’t raised it with the organisation first.
Utilities Complaints Show Futilities?
The utilities sector saw the largest year-on-year increase (52%) in the number of complaints with no further action taken – despite total complaints against this sector falling.
With millions of UK customers – and growing awareness around personal data rights, including the introduction of the Data (Use and Access) Act 2025 – consumers will continue to feel more confident calling out the mishandling of their information.
But that doesn’t mean they’ll all be successful. It’s likely that many of these cases represent low-severity issues like billing errors or incorrect records rather than breaches of data protection law.
The religious (36%) and land or property services (24%) sectors also saw significant increases in the number of complaints received.
Filing Successful Complaints
The increase in ‘no further action’ responses suggests that regulators are prioritising cases that demonstrate clear risk, harm or repeated non-compliance.
In situations where no further action is taken, it’s often claimed that insufficient information was provided. This highlights the importance of assessing the level of harm and maintaining thorough documentation of any harm experienced as a result of the organisation’s handling of personal information.
The ICO also offers advice for those who aren’t happy with the response they receive to their complaints.
Our Expert Says…
“Rising complaint volumes in sectors like financial services and healthcare show that public expectations around data protection continue to grow. Organisations can’t treat privacy as a compliance box-ticking exercise; it must be central to business operations.”
How to Strengthen Your Data Protection Efforts
Data privacy complaints can prove costly for businesses, in both the fines associated with non-compliance and the potential disruption to daily operations.
The ICO has the authority to impose a maximum penalty of £17.5 million or 4% of the organisation’s total annual worldwide turnover in the preceding financial year, whichever is higher.
So, compliance isn’t just a legal requirement. It’s a financial and reputational must-have.
Below are just some of the fundamental considerations for businesses looking to boost their data protection efforts:
- Employee education: Keeping employees aware of the latest scams and how to spot them can prevent successful social engineering attacks. This might include running formal social engineering testing.
- Don’t neglect updates: Rolling out updates to all software and systems as soon as they’re available can prevent breaches from known vulnerabilities.
- Keep compliant: Ensuring compliance with data protection regulations (like GDPR) and standards (such as ISO 27701 and ISO 27018) gives your organisation the strongest foundation to prevent successful breaches and potential penalties.
- Partner with a cyber security expert: Outsourcing your data privacy efforts to third-party consultants gives you peace of mind over the skills, knowledge and execution underlying every action you take.
Methodology
For this study, each complaint case dataset from the Information Commissioner's Office was scraped, focusing on the number of complaints per type of sector and per the recorded action taken in response to the complaints. To conduct a fair year-on-year comparison, data from October 2023 to September 2024 was compared to October 2024 to September 2025. The data was accessed in February 2026.
Bridewell
Insights by Bridewell
