DATA BREACH COMPLAINTS POLICY
1) Purpose and Scope
1.1 This Data Breach Complaints Policy sets out how ROOTS LAW (the ‘Firm’) will respond to and manage complaints concerning alleged breaches of data protection law. The policy has been developed to reflect the requirements of the Data Use and Access Act 2025 (DUAA 2025), the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018. It is intended to ensure that individuals who believe their personal data has been mishandled by the Firm can raise their concerns directly with us, confident that their complaint will be taken seriously, investigated properly, and resolved in a timely and transparent manner.
1.2 The DUAA 2025 introduced a new statutory right for individuals to raise a complaint directly with an organisation, including employers, service providers, and professional firms, before approaching the Information Commissioner’s Office (ICO). The intention behind this legislative change is to encourage prompt and constructive resolution of issues, to reduce the burden on the regulator, and to ensure that organisations take ownership of their compliance obligations. For solicitors’ firms such as ours, this right is especially important given the sensitive nature of the personal data we routinely process, and the high professional standards required by the Solicitors Regulation Authority (SRA).
1.3 The purpose of this policy is to provide a structured framework for handling data protection complaints, whether raised by clients, prospective clients, third parties, or employees. It explains the steps that will be taken on receipt of a complaint, the standards of fairness and confidentiality that will be applied, and the remedies available to individuals where a breach has occurred. It also highlights the serious consequences for the Firm and its staff if complaints are not managed properly, including regulatory penalties, reputational damage, and potential disciplinary action.
1.4 This Data Breach Complaints Policy (DBCP) sets out the Firm’s expectations in relation to behaviour by all employees and workers whether or not they are permanent, full time, part time or temporary (referred to collectively as “Staff”) in relation to complaints received in relation to data breaches. All Staff are required to familiarise themselves with this policy to ensure that they are able to respond in a timely and suitable manner.
2) Commitment to Data Protection and Transparency
2.1 The Firm is committed to protecting the privacy and rights of all individuals whose personal data we process. We recognise that personal data is a valuable asset and that mishandling it can cause significant harm to individuals, ranging from financial loss and identity theft to emotional distress and reputational damage. As a law firm, we hold client information in trust and must maintain the highest levels of confidentiality.
2.2 The Firm is therefore committed to responding promptly to any data protection complaint, to carrying out a full and impartial investigation, and to providing a clear and reasoned outcome. Complaints will be used as an opportunity to learn and improve our practices. Where weaknesses in systems, training, or processes are identified, corrective measures will be taken without delay.
3) What Constitutes a Data Protection Complaint
3.1 A data protection complaint arises when an individual expresses dissatisfaction with the way the Firm has handled their personal data. This may include concerns that we have failed to comply with data protection legislation, such as processing data without a lawful basis, retaining data for longer than is necessary, failing to safeguard against unauthorised access, or disclosing data to inappropriate recipients. It may also include dissatisfaction with our handling of data subject rights requests, such as requests for access, rectification, erasure, or objection.
3.2 For Staff, a data protection complaint may relate to the use of personal information in the workplace, such as the handling of personnel records, monitoring of communications, or disclosure of medical or disciplinary information. For clients and third parties, it may concern the confidentiality of case files, the transmission of information to other parties, or compliance with regulatory reporting obligations.
4) Policy Principles
4.1 All complaints will be handled in a manner consistent with the principles of fairness, impartiality, and confidentiality. Individuals raising complaints will not be treated less favourably as a result of exercising their rights. Each complaint will be acknowledged promptly, and a clear explanation will be given of the investigation process and timescales involved. Investigations will be conducted by the Firm’s Manager, Alex Korenkov or Yulia Chalykh, who was not directly involved in the events giving rise to the complaint.
4.2 The firm will provide a substantive written response within one month of receipt of the complaint, unless the matter is particularly complex, in which case an extension of up to two additional months may be applied. In such cases, the complainant will be informed of the reasons for the delay. Where a breach is identified, we will set out the steps taken to remedy the situation, including any corrective or preventive measures. Where the complaint is not upheld, we will explain the reasons clearly.
4.3 In particular this policy accepts that:
5) Complaints Raised by Clients and Third Parties
5.1 Clients and third parties who believe that their data protection rights have been breached may raise a complaint in writing, by email, or verbally with any member of staff. Staff receiving such a complaint must ensure that it is immediately referred to the Firm’s Manager, Alex Korenkov or Yulia Chalykh who will acknowledge receipt of the complaint within five working days and confirm the process that will be followed.
5.2 The investigation will involve reviewing the complaint, considering relevant documents and communications, and speaking with any members of staff involved. Where appropriate, technical checks will be carried out to confirm whether a system or process failure has occurred. The Firm’s Manager, Alex Korenkov or Yulia Chalykh, will then issue a written response within one month, setting out the findings, any remedial action taken, and the complainant’s right to escalate the matter to the ICO if dissatisfied.
5.3 If the complainant remains unhappy with the outcome, they may request a review by the firm’s Managing Partner or escalate the complaint externally to the ICO.
6) Complaints Raised by Staff
6.1 Staff who consider that their personal data has been mishandled may raise a complaint directly with the Firm’s Manager, Alex Korenkov or Yulia Chalykh. The complaint will be acknowledged within five working days, and the process of investigation will be explained clearly.
6.2 The investigation will typically involve a review of personnel records, consultation with managers, and consideration of any relevant HR or IT processes. Findings will be shared with the employee in writing within one month, with details of any corrective steps or systemic changes proposed. Staff will be advised of their right to escalate the complaint to the ICO if dissatisfied with the outcome.
6.3 The firm is committed to ensuring that Staff who raise data protection complaints are not subjected to any form of retaliation or detriment as a result of doing so. All complaints will be treated confidentially and with sensitivity.
7) Record-Keeping and Learning Lessons
7.1 All complaints will be recorded in the Firm’s central Data Protection Complaints Register. This will include details of the complainant, the nature of the issue, the findings of the investigation, and the remedial actions taken. This record-keeping will enable the Firm to identify trends, recurring issues, and opportunities for improvement.
7.2 The Firm’s Manager, Alex Korenkov or Yulia Chalykh, will report periodically to the firm’s management committee on the number and nature of complaints received, the outcomes reached, and the measures taken to strengthen compliance. This reporting will form part of the firm’s continuous improvement programme for data protection.
8) Training and Awareness
8.1 All Staff will be trained to recognise and escalate data protection complaints. Induction training will include an overview of the complaints process, and regular refresher sessions will be provided. Managers and supervisors will receive additional training on how to support investigations and ensure that Staff handle personal data responsibly.
8.2 By equipping Staff with the necessary knowledge and awareness, the firm seeks to prevent breaches before they occur and to ensure that any complaints are dealt with effectively.
8.3 The Firm will ensure that all Staff also received training in the importance of confidentiality and the requirements of data protection and copies of this policy will be made available on the firm’s website.
9) Consequences of Non-Compliance
9.1 Failure to follow this policy could have serious consequences for both the Firm and its Staff. The ICO has powers to impose administrative fines of up to £17.5 million or 4% of annual global turnover, whichever is higher, for the most serious breaches of data protection law. In addition, the SRA may take regulatory action where failures in data protection amount to breaches of professional conduct obligations. Such action could include disciplinary proceedings, conditions on practising certificates, or referrals to the Solicitors Disciplinary Tribunal.
9.2 At an organisational level, mishandling of complaints may cause significant reputational damage and loss of client confidence. At an individual level, failure by Staff to follow this policy may lead to disciplinary action in line with the Firm’s internal procedures.
10) Review of Policy
10.1 This policy will be reviewed on an annual basis by the Firm’s Manager, Alex Korenkov or Yulia Chalykh, and the management committee, or sooner if required by changes in legislation, guidance from the ICO, or operational experience. Updates will be communicated to all Staff, and revised versions will be published on the Firm’s website.
10.2 All Staff are encouraged to put forward ideas and suggestions for developing and improving the operation of this DBCP.
1.1 This Data Breach Complaints Policy sets out how ROOTS LAW (the ‘Firm’) will respond to and manage complaints concerning alleged breaches of data protection law. The policy has been developed to reflect the requirements of the Data Use and Access Act 2025 (DUAA 2025), the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018. It is intended to ensure that individuals who believe their personal data has been mishandled by the Firm can raise their concerns directly with us, confident that their complaint will be taken seriously, investigated properly, and resolved in a timely and transparent manner.
1.2 The DUAA 2025 introduced a new statutory right for individuals to raise a complaint directly with an organisation, including employers, service providers, and professional firms, before approaching the Information Commissioner’s Office (ICO). The intention behind this legislative change is to encourage prompt and constructive resolution of issues, to reduce the burden on the regulator, and to ensure that organisations take ownership of their compliance obligations. For solicitors’ firms such as ours, this right is especially important given the sensitive nature of the personal data we routinely process, and the high professional standards required by the Solicitors Regulation Authority (SRA).
1.3 The purpose of this policy is to provide a structured framework for handling data protection complaints, whether raised by clients, prospective clients, third parties, or employees. It explains the steps that will be taken on receipt of a complaint, the standards of fairness and confidentiality that will be applied, and the remedies available to individuals where a breach has occurred. It also highlights the serious consequences for the Firm and its staff if complaints are not managed properly, including regulatory penalties, reputational damage, and potential disciplinary action.
1.4 This Data Breach Complaints Policy (DBCP) sets out the Firm’s expectations in relation to behaviour by all employees and workers whether or not they are permanent, full time, part time or temporary (referred to collectively as “Staff”) in relation to complaints received in relation to data breaches. All Staff are required to familiarise themselves with this policy to ensure that they are able to respond in a timely and suitable manner.
2) Commitment to Data Protection and Transparency
2.1 The Firm is committed to protecting the privacy and rights of all individuals whose personal data we process. We recognise that personal data is a valuable asset and that mishandling it can cause significant harm to individuals, ranging from financial loss and identity theft to emotional distress and reputational damage. As a law firm, we hold client information in trust and must maintain the highest levels of confidentiality.
2.2 The Firm is therefore committed to responding promptly to any data protection complaint, to carrying out a full and impartial investigation, and to providing a clear and reasoned outcome. Complaints will be used as an opportunity to learn and improve our practices. Where weaknesses in systems, training, or processes are identified, corrective measures will be taken without delay.
3) What Constitutes a Data Protection Complaint
3.1 A data protection complaint arises when an individual expresses dissatisfaction with the way the Firm has handled their personal data. This may include concerns that we have failed to comply with data protection legislation, such as processing data without a lawful basis, retaining data for longer than is necessary, failing to safeguard against unauthorised access, or disclosing data to inappropriate recipients. It may also include dissatisfaction with our handling of data subject rights requests, such as requests for access, rectification, erasure, or objection.
3.2 For Staff, a data protection complaint may relate to the use of personal information in the workplace, such as the handling of personnel records, monitoring of communications, or disclosure of medical or disciplinary information. For clients and third parties, it may concern the confidentiality of case files, the transmission of information to other parties, or compliance with regulatory reporting obligations.
4) Policy Principles
4.1 All complaints will be handled in a manner consistent with the principles of fairness, impartiality, and confidentiality. Individuals raising complaints will not be treated less favourably as a result of exercising their rights. Each complaint will be acknowledged promptly, and a clear explanation will be given of the investigation process and timescales involved. Investigations will be conducted by the Firm’s Manager, Alex Korenkov or Yulia Chalykh, who was not directly involved in the events giving rise to the complaint.
4.2 The firm will provide a substantive written response within one month of receipt of the complaint, unless the matter is particularly complex, in which case an extension of up to two additional months may be applied. In such cases, the complainant will be informed of the reasons for the delay. Where a breach is identified, we will set out the steps taken to remedy the situation, including any corrective or preventive measures. Where the complaint is not upheld, we will explain the reasons clearly.
4.3 In particular this policy accepts that:
- Accessibility: Complaints can be raised in writing, by email, or verbally to any member of staff. Staff must refer complaints immediately to the Manager, Alex Korenkov and/or Yulia Chalykh.
- Prompt Acknowledgement: All complaints will be acknowledged within five working days.
- Independent Investigation: Complaints will be investigated impartially by the Firm’s Manager, Alex Korenkov or Yulia Chalykh, not involved in the events.
- Timeliness: A substantive response will be provided within one month, in line with the DUAA 2025. Where complex investigations are required, this may be extended by a further two months, with reasons provided to the complainant.
- Confidentiality: Complaints will be handled in confidence and details shared only with those who need to know in order to investigate and resolve the matter.
- Escalation: If a complainant is not satisfied with the outcome, they will be advised of their right to escalate the complaint to the ICO.
5) Complaints Raised by Clients and Third Parties
5.1 Clients and third parties who believe that their data protection rights have been breached may raise a complaint in writing, by email, or verbally with any member of staff. Staff receiving such a complaint must ensure that it is immediately referred to the Firm’s Manager, Alex Korenkov or Yulia Chalykh who will acknowledge receipt of the complaint within five working days and confirm the process that will be followed.
5.2 The investigation will involve reviewing the complaint, considering relevant documents and communications, and speaking with any members of staff involved. Where appropriate, technical checks will be carried out to confirm whether a system or process failure has occurred. The Firm’s Manager, Alex Korenkov or Yulia Chalykh, will then issue a written response within one month, setting out the findings, any remedial action taken, and the complainant’s right to escalate the matter to the ICO if dissatisfied.
5.3 If the complainant remains unhappy with the outcome, they may request a review by the firm’s Managing Partner or escalate the complaint externally to the ICO.
6) Complaints Raised by Staff
6.1 Staff who consider that their personal data has been mishandled may raise a complaint directly with the Firm’s Manager, Alex Korenkov or Yulia Chalykh. The complaint will be acknowledged within five working days, and the process of investigation will be explained clearly.
6.2 The investigation will typically involve a review of personnel records, consultation with managers, and consideration of any relevant HR or IT processes. Findings will be shared with the employee in writing within one month, with details of any corrective steps or systemic changes proposed. Staff will be advised of their right to escalate the complaint to the ICO if dissatisfied with the outcome.
6.3 The firm is committed to ensuring that Staff who raise data protection complaints are not subjected to any form of retaliation or detriment as a result of doing so. All complaints will be treated confidentially and with sensitivity.
7) Record-Keeping and Learning Lessons
7.1 All complaints will be recorded in the Firm’s central Data Protection Complaints Register. This will include details of the complainant, the nature of the issue, the findings of the investigation, and the remedial actions taken. This record-keeping will enable the Firm to identify trends, recurring issues, and opportunities for improvement.
7.2 The Firm’s Manager, Alex Korenkov or Yulia Chalykh, will report periodically to the firm’s management committee on the number and nature of complaints received, the outcomes reached, and the measures taken to strengthen compliance. This reporting will form part of the firm’s continuous improvement programme for data protection.
8) Training and Awareness
8.1 All Staff will be trained to recognise and escalate data protection complaints. Induction training will include an overview of the complaints process, and regular refresher sessions will be provided. Managers and supervisors will receive additional training on how to support investigations and ensure that Staff handle personal data responsibly.
8.2 By equipping Staff with the necessary knowledge and awareness, the firm seeks to prevent breaches before they occur and to ensure that any complaints are dealt with effectively.
8.3 The Firm will ensure that all Staff also received training in the importance of confidentiality and the requirements of data protection and copies of this policy will be made available on the firm’s website.
9) Consequences of Non-Compliance
9.1 Failure to follow this policy could have serious consequences for both the Firm and its Staff. The ICO has powers to impose administrative fines of up to £17.5 million or 4% of annual global turnover, whichever is higher, for the most serious breaches of data protection law. In addition, the SRA may take regulatory action where failures in data protection amount to breaches of professional conduct obligations. Such action could include disciplinary proceedings, conditions on practising certificates, or referrals to the Solicitors Disciplinary Tribunal.
9.2 At an organisational level, mishandling of complaints may cause significant reputational damage and loss of client confidence. At an individual level, failure by Staff to follow this policy may lead to disciplinary action in line with the Firm’s internal procedures.
10) Review of Policy
10.1 This policy will be reviewed on an annual basis by the Firm’s Manager, Alex Korenkov or Yulia Chalykh, and the management committee, or sooner if required by changes in legislation, guidance from the ICO, or operational experience. Updates will be communicated to all Staff, and revised versions will be published on the Firm’s website.
10.2 All Staff are encouraged to put forward ideas and suggestions for developing and improving the operation of this DBCP.