Sectoral analysis of ICO-reported data protection complaints

New research by cybersecurity services company Bridewell has analysed Information Commissioner’s Office (ICO) data to identify which UK industries are most susceptible to data protection complaints. Bridewell notes that these complaints, raised by individuals against an organisation over claims of non-compliance with data protection laws, are significant, as cyberattacks targeting intellectual property are estimated to cost the UK economy up to £8.5 billion annually.

The research compared complaint volumes between October 2023 and September 2025. The finance, insurance, and credit sector consistently received the highest number of complaints, recording 4,630 cases in the most recent year, a 5% increase from 4,422 in the previous period. This trend underscores the pressure on sectors managing large volumes of sensitive financial data. The health sector followed, with cases rising from 3,903 to 4,082 year-on-year, reflecting specific data protection challenges in handling highly sensitive personal information. The sharpest year-on-year growth was experienced in the retail and manufacturing sectors, which rose by 12%, increasing from 2,421 between October 2023 and September 2024 to 2,714 in the subsequent twelve-month period.

In addition, the analysis identified a change in how the ICO resolves cases. There was a 22% decrease in investigations resulting in informal action responses when comparing the two periods. Conversely, the number of instances in which the regulator concluded investigations with no further action increased by 14%. Bridewell notes these figures suggest that while more individuals are reporting concerns regarding how their personal information is handled, a higher proportion of these cases are being closed without formal intervention or regulatory action.

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.