19 November 2024

Soft Skills as a Resolution to Data Protection Complaints

By Sofia Carroll, Information Governance Manager

Data Protection Officers (DPOs) have no easy task of being proficient in data protection laws and managing a busy workload, while also advising stakeholders and helping people with their information rights. In dealing with these individual enquiries, DPOs find frustrated people who want to complain about the controller. It often falls on the DPO to be a customer-service representative and resolve disappointment which may have nothing to do with the UK GDPR.

Relevant knowledge and experience are key to improving compliance, but how that is achieved goes beyond qualifications. DPOs often need to employ a human approach and display soft skills like effective communication and relationship management to de-escalate issues and influence people with different opinions.

At Privacy Space, a community where industry professionals get together to share ideas and learn, Sofia Carroll shared best practice for dealing with data protection complaints without appearing insensitive to the often-emotional situations complainants find themselves in.

The talk was focused on complaints followed by a subject access request (SAR) response that a person receives but is unhappy with the findings.

Understand the complaint and its context

Open communication is key to understanding more about the person’s frustrations and the organisation’s concerns.

Complaints come from various places:

  • Human errors
  • Knowledge gaps
  • Unmet training needs
  • Disagreements about data ownership

Experience shows that people often complain about controllers using their personal data which they “own” in a manner they don’t agree with. This is a common problem seen in practice which isn’t a data protection but an intellectual property issue.

Book one of our copyright courses to learn about owning information through copyright:

  • Copyright Basics
  • Copyright Essentials
  • Exceptions to Copyright

The DPO should be flexible in dealing with the issues people bring. This means accepting that sometimes the wrong form will have been filled out or excessive information would have been shared (and fixing it later). The DPO should cooperate with colleagues to establish the facts and work with the complainant to understand their problem.

As a first step, accepting that something has gone wrong in the relationship between the individual and the controller and acknowledging it to the complainant can help making them feel heard and connect better. The DPO has an angry individual at their hands and must be ready to endure most of the disappointment that isn’t necessarily the DPO’s fault.

Balancing compliance with empathy

The DPO wears different hats as an advisor to both the controller and the data subject, but they aren’t on either side and apply the law to the facts to the case.[1] The DPO has to be both understanding of human issues in an emotionally charged situation while also maintaining the highest level of compliance, for the benefit of the data subject and to ensure the controller fulfils their UK GDPR duties.   

Some practical tips to maintain compliance without losing your human touch include:

  • Reassure the person of your independence as required by law.
  • Open a dialogue with all stakeholders: internal (your teams) and external (complainant, ICO) so you can promote transparency and get relevant information.
  • Update the data subject about what you have done as much as possible.
  • Record your decision-making for your own audit trail and if the complaint escalates to the ICO.

Cooperation with the data subject will become a legal requirement if the new UK Data (Use and Access) Bill passes, therefore extra steps you can consider now are:

  • Trialling a data protection complaint form or a dedicated UK GDPR complaints email to collate complaints.
  • Creating complaints reporting tools and KPIs for your organisation and the ICO.
  • Ensuring your processes and resources allow for acknowledging a complaint within 30 days and giving an outcome as soon as possible.

Soft skills also matter for DPOs and their team

It’s important to remember we are people and emotions can get the better of us in a complaint scenario. If you are DPO and have line reports dealing with complaints, keep an eye on them, too.

  • Understand at what point the complaints process has been exhausted and there is nothing more from a UK GDPR perspective you can do for the complainant.
  • If you can see the complainant is struggling, explore what other support they might benefit from having.
  • If you can see your team member is struggling with the nature of the complaint, consider what emotional support they might need.

Complaints sometimes cannot be resolved to everyone’s satisfaction. However, reasonable outcomes where issues are investigated, addressed, and people are treated with respect, is a solution all DPOs can strive for with a common-sense approach.

If you are ready to deepen your expertise in data protection, find out more about our Intermediate and Advanced Certificates in Data Protection, or contact our Training Manager at info@naomikorn.com.

[1] Articles 38 and 39 of the UK GDPR, the DPO is independent in performing their tasks

Recent News

A steam train travelling on a track situated along the sidewalk above the level of the shops in New York; carriages and horse-drawn trolley buses are in the street. Wood engraving by J.R. Brown. Wellcome Collection.
13 May 2026

Commercial licensing: Choosing the right partners

read story
29 April 2026

New Course Announcement: AI, Copyright and Cultural Heritage

read story
Mediamodifier via Unsplash
22 April 2026

Small Fine, Big Message: Is the ICO fining the public sector again?

read story
The Music Room, Gustav Pope, York Castle Museum, via ArtUK
15 April 2026

Understanding copyright in audio visual works

read story

Back to News

Discover more from Naomi Korn Associates

Subscribe now to keep reading and get access to the full archive.

Continue reading