This procedure sets out how I handle complaints about how Varnham Consulting Ltd processes personal data. It was established under section 164A of the Data Protection Act 2018, as inserted by section 67 of the Data (Use and Access) Act 2025.
If you are dissatisfied with how I have processed your personal data — or any aspect of the data protection services I provide — I want to know. Resolving complaints well is part of getting data protection right.
Use the intake form on the contact page and select option 10 — "Complaint about how Varnham Consulting has processed personal data".
Please provide as much detail as you can: what data is involved, what you believe went wrong, when it happened, and the outcome you are seeking. The more specific you can be, the more substantive my response can be.
Within 30 calendar days of receipt, I will acknowledge your complaint in writing. The acknowledgement will set out my understanding of the complaint, the steps I will take to investigate, and the expected timeframe for a substantive response.
I will conduct a thorough review of the relevant processing — what data was involved, what decisions were made, what records exist, and what the outcome should have been. Where the complaint involves data held by a third-party processor, I will engage with the processor as part of the investigation.
I will respond substantively without undue delay, aiming to do so within 60 calendar days of receiving the complaint. The response will explain the findings, the action being taken (if any), and the rationale for the decision. If I uphold the complaint, the response will set out remedial action; if I do not uphold it, the response will explain why.
If you are not satisfied with my response — or if 60 calendar days have passed without a substantive response — you may lodge a complaint with the Information Commissioner's Office. The ICO is the UK regulator for data protection and is empowered to investigate complaints under the Data Protection Act 2018.
The ICO can be contacted at ico.org.uk/make-a-complaint or on 0303 123 1113. The ICO recommends raising concerns with the data controller first, which is the purpose of this procedure.
I maintain records of all complaints, the investigation steps taken, and the outcomes. These records are retained for 7 years from the date of the complaint, in line with sector record-keeping expectations and the limitation period under the Limitation Act 1980. They are processed under legitimate interests for the purposes of regulatory compliance and continuous improvement.
Complaints are handled confidentially. The investigation may involve sharing relevant information with associates, professional advisers, or third-party processors where necessary to investigate the matter — but never beyond what is required for the investigation.
Making a complaint will not result in any detriment to you. You will not lose your right to access services, your records will not be treated differently, and you will not be excluded from future engagement on the basis of having raised a complaint.
Complaints are submitted through the intake form on the contact page, selecting option 10. This ensures every complaint is logged in the same channel and handled within the documented procedure.