UK data privacy complaints keep climbing in finance and health

Data privacy complaints are rising across major UK sectors, predominantly in finance and health

Across the UK, data privacy complaints are growing, especially in finance and healthcare. These industries deal with highly sensitive personal information and operate under tight regulation. According to Bridewell, the number of complaints made to the Information Commissioner’s Office (ICO) increased in both sectors between October 2023 and September 2025. Finance stayed on top, with complaints rising from 4,422 to 4,630, an increase of 5%. Health followed, moving from 3,903 to 4,082 cases.

This growth points to a broader shift in public expectations. People want transparency and accountability in how their information is handled. The message for executives is direct: strong data management isn’t optional, it’s part of building trust. The risk is no longer just about fines or compliance failures but about losing customer confidence in an increasingly digital world.

Leaders should also see this as an opportunity. When privacy is treated as a strategic asset, not a regulatory burden, it strengthens brand reputation and operational resilience. Consumers favor companies that show real commitment to protecting their data. In sectors already familiar with oversight, improving internal privacy culture can significantly reduce risks and improve customer loyalty.

Retail and manufacturing sectors experienced the fastest rate of growth in privacy complaints despite lower overall volumes

Retail and manufacturing don’t usually top the list for privacy risks, but that’s changing fast. Bridewell’s analysis showed a 12% increase in data privacy complaints in these sectors, from 2,421 to 2,714 cases. It’s not about total numbers; it’s about momentum. As these industries digitize supply chains, customer interactions, and logistics systems, their exposure to data handling errors and potential breaches expands.

The sharp rise signals growing consumer awareness. People now notice how brands collect and use their data, even in areas like retail and manufacturing where privacy wasn’t historically top of mind. Executives should recognize that digital transformation comes with parallel accountability. Every new connected process, customer data platform, eCommerce feature, or automated logistics tool, creates potential risk points.

For business leaders, the takeaway is clear: privacy readiness must grow in parallel with digital adoption. Investing in privacy controls now guards against future disruption. Those that act early can turn stronger governance into strategic advantage, using sustained trust as a driver for long-term efficiency and brand credibility.

There is a notable shift in how data privacy complaints are being resolved by the ICO

The way privacy complaints are being managed by the Information Commissioner’s Office is changing. Bridewell’s findings show that informal action responses dropped by 22%, while cases closed with no further action rose by 14%. The regulators are receiving more complaints, but a larger share of them lack the necessary information for formal review. This shows a growing public concern about data handling but also exposes weakness in how complaints are documented.

For executives, this trend highlights the importance of precision in record-keeping and data evidence. A complaint that doesn’t meet regulatory action doesn’t mean it goes unnoticed, it still carries reputational weight. The pattern suggests that many organizations are still reactive in managing data privacy issues, rather than building systematic documentation that can stand up to public and regulatory scrutiny.

Leaders should ensure teams are trained not just to comply with data protection rules, but to maintain consistent logs of decisions, data requests, and processing activities. Good record-keeping demonstrates transparency and readiness when regulators or customers raise questions. It’s a low-cost, high-impact way to strengthen internal control and reduce the risk of operational disruption from data-related complaints.

Regulatory scrutiny of data protection is intensifying, especially for high-risk sectors

Regulatory pressure in the UK is growing, especially around sectors that manage sensitive and high-risk data. Bridewell’s analysis points to tougher enforcement in finance and healthcare, where failures in risk assessments and age-verification processes have already drawn official action. Regulators are signaling that weak privacy oversight is no longer acceptable, especially when vulnerable users are involved.

Executives need to treat this surge in scrutiny as more than a compliance challenge. It reflects an evolution in the regulatory mindset: data protection is being positioned as a key component of consumer safety. Regulators are focusing not just on breaches, but on prevention, evaluating how well organizations predict and mitigate privacy risks before incidents occur.

Businesses that operate in these sectors should adopt a forward approach, aligning governance frameworks with the latest regulatory expectations. Strengthening internal review cycles, running gap analyses, and embedding compliance into risk management processes can save time and reputation later. For leaders, the path is straightforward: anticipate where scrutiny will focus next, build maturity now, and show regulators that data protection is part of broader corporate responsibility, not just a legal requirement.

Data governance challenges are increasingly intersecting with broader cybersecurity concerns in financial services

Financial organizations now face a tighter connection between data privacy and cybersecurity. These areas can no longer be managed in isolation. Bridewell’s Cyber Security in Financial Services report found that 39% of organizations identify data privacy and protection as one of their main cybersecurity challenges. This reflects a clear shift: data privacy is now seen as part of enterprise risk and governance, not just compliance.

The financial sector stores vast quantities of confidential information, transaction data, identity records, and behavioral analytics. The complexity of these datasets makes them prime targets for cyber incidents. Executives should view privacy as an integral part of cybersecurity strategy, ensuring that controls designed for technical defense also support strict privacy protection standards.

Decision-makers must also address leadership accountability. Oversight of data protection should sit at the board level alongside other strategic priorities. Integrating privacy into cybersecurity planning allows companies to manage risk holistically, reduce duplication of effort, and strengthen resilience under tightening regulatory demand. This alignment sends a consistent message to customers, investors, and regulators: the organization takes data integrity seriously.

Rising public expectations necessitate a proactive approach to data privacy, making it a central business function

Public expectations around data protection are increasing across all industries. Chris Linnell, Associate Director of Data Privacy at Bridewell, emphasized that organizations can no longer treat privacy as a compliance box to tick. Instead, it must become central to operations. His message is direct: weak controls now carry real financial, reputational, and operational consequences.

For leaders, this rising pressure signals a shift in how privacy influences competitive positioning. Organizations that invest early in privacy-by-design gain agility and credibility as regulations evolve. The cost of falling behind isn’t only potential fines but also the erosion of brand trust that takes years to rebuild.

A proactive stance means building privacy into every stage of data use, collection, storage, and processing. Continuous staff training, transparent policies, and timely reporting build trust with both customers and regulators. Executives who lead with clear governance and visible accountability position their companies to sustain growth even in a highly scrutinized data environment.

Main highlights

• Privacy complaints continue to rise in finance and health: Complaints to the ICO increased across all major sectors, with finance and health leading. Leaders in these industries should prioritize stronger data protection frameworks to maintain trust and meet regulatory expectations.
• Retail and manufacturing face sharp complaint growth: Though starting from lower levels, complaints in these sectors jumped 12%, signaling growing consumer awareness. Executives should align digital transformation with improved data governance to avoid future risks.
• ICO complaint resolution patterns are shifting: Informal resolutions have dropped while cases closed with no action have risen, often due to poor documentation. Organizations should strengthen record-keeping and internal reporting to better handle and resolve privacy cases.
• Regulatory scrutiny is tightening across high-risk sectors: Regulators are taking more decisive action on privacy failures, especially around risk assessments and age-verification. Business leaders must stay ahead of evolving compliance demands through continuous review and proactive governance.
• Data privacy and cybersecurity are converging in financial services: With 39% of financial firms citing privacy as a top security challenge, leaders must integrate privacy into their cybersecurity strategy. This unified approach improves resilience and reduces exposure to reputation and compliance risks.
• Public trust makes proactive privacy a business necessity: Rising complaint volumes show that customers now expect privacy excellence. Executives should embed privacy into company culture, ensuring leadership accountability and transparency to protect long-term brand credibility.