Sailing clubs, class associations and recognised training centres obtaining information on membership application forms, event entry forms and any other information collected from visitors, suppliers, staff and volunteers will likely be data controllers and will need to comply with the new requirements.

Complaints might include concerns around how data was collected, used or shared, the lawful basis for processing data or any data breaches or issues with security measures used.  The complaints process must be easy to locate, linked from privacy notices and websites, with clear explanations of how complaints will be handled and expected timeframes.  It is worth noting that a complaint does not need to be labelled as a data protection complaint or submitted in a particular format; if the substance of the concern relates to personal data, it must be treated accordingly.

The ICO has the power to fine organisations for non-compliance where organisations have not complied with the requirement to put a formal data protection complaints process in place.

What should organisations do?

• Inform individuals of their right to complain about data protection issues, ideally at the point at which personal data is collected. Privacy notices or policies may require updates to reflect this.
• Have a process for receiving complaints – this could be a standalone data protection complaints procedure or an integrated process within existing frameworks. Organisations should provide accessible means for an individual to submit complaints including an electronic complaint form and alternative routes such as email and post.
• Investigate and respond without undue delay – complaints should be acknowledged within 30 days and organisations must complete their enquiries and respond “without delay”. Organisations should keep records of any investigations and responses provided so that evidence can be produced to the ICO should the matter be escalated. Any response should remind the complainant that they can take the matter to the ICO if they are unhappy with the outcome.
• Review arrangements with third party processors - ensure that there are obligations on the processor to assist with investigations, forward complaints to the data controller and provide all information required to be able to respond.

Please contact the legal team for further advice on this topic by email at: legal@rya.org.uk