UK data privacy complaints rise in finance & health

Bridewell has published analysis showing that data privacy complaints to the Information Commissioner’s Office rose across several major UK sectors, with finance, insurance and credit recording the highest total.

The data covers complaints logged with the regulator over two 12-month periods and points to continued pressure on organisations handling large volumes of personal information. Finance, health, and online technology and telecoms generated the most complaints in both years.

In finance, insurance and credit, complaints rose 5 per cent to 4,630 in the later period from 4,422 a year earlier, keeping the sector at the top of the rankings.

Health ranked second, with complaints increasing to 4,082 from 3,903, a rise of 179 cases over the year.

Retail and manufacturing recorded the fastest annual increase among the sectors highlighted in the research. Complaints rose 12 percent to 2,714 from 2,421, though the total remained below finance and health.

Regulatory outcomes

The research also tracked how complaint cases were resolved. Cases resulting in informal action responses fell 22 per cent between the two reporting periods.

At the same time, cases concluding with “No Further Action” rose 14 per cent. This may reflect a higher bar for intervention, with regulators focusing resources on complaints with clearer evidence of risk, harm, or repeated non-compliance.

The analysis also noted that one common reason for taking no further action was insufficient information. That underlines the importance of evidence and documentation in complaints about the handling of personal information.

Sector pressure

The figures come as businesses in heavily regulated and data-intensive industries face closer scrutiny over their treatment of customer and user data. Financial services firms, healthcare providers, retailers and digital platforms all handle sensitive personal information at scale, making them more exposed to complaints and enforcement action.

Separate Bridewell research in financial services found that 39 per cent of organisations viewed data privacy and protection as one of their biggest cyber security challenges. The latest complaint analysis adds to that picture by showing where members of the public are directing concerns to the regulator.

Recent enforcement activity has also kept data privacy high on corporate risk agendas. Reddit was fined more than GBP £14 million for failing to carry out a data protection impact assessment and for not checking the age of users accessing its platform.

The case reflects wider regulatory attention on children’s privacy and on whether organisations have put safeguards in place around the use of personal data. For companies operating in consumer-facing markets, such decisions can create both financial and reputational risks.

Chris Linnell, Associate Director of Data Privacy at Bridewell, said: “Rising complaint volumes in sectors like financial services and healthcare show that public expectations around data protection continue to grow. Organisations can’t treat privacy as a compliance box-ticking exercise; it must be central to business operations.”

He also pointed to the consequences of weak controls as regulators sharpen their focus on data governance. “Cases like this highlight the escalating reputational, financial, and operational costs of inadequate privacy controls.”