You asked a company to delete your data. A month went by. The marketing emails kept coming, or worse, you found out later they'd quietly shared your details with a third party anyway. UK data protection law gives you a real regulator to escalate to — but there's a step most people skip that you shouldn't, and a common misunderstanding about how absolute the "right to be forgotten" actually is.
The right to erasure, and its actual limits
Under UK GDPR, you can ask an organisation to delete personal data it holds about you, and in several circumstances it must comply — typically when the data is no longer needed for its original purpose, when you've withdrawn consent, or when you've objected to it being used for direct marketing. Organisations have one calendar month to respond, extendable by up to two further months for genuinely complex requests.
It's worth knowing this right isn't unconditional, though. An organisation can lawfully refuse an erasure request if it has a legal obligation to keep the data (tax records, for example), if the data is needed to establish or defend a legal claim, or for reasons like public-interest archiving or freedom of expression. If they refuse, they're required to tell you why in writing and inform you of your right to complain to the ICO or take the matter to court.
Don't skip this step: complain to the organisation first
Before going to the ICO, the ICO's own guidance recommends giving the organisation a genuine chance to resolve things directly through its complaints process first. This isn't just politeness — a documented complaint to the company, and their response (or lack of one), is exactly the evidence trail that makes your case to the ICO stronger and often faster to process, since the ICO will want to see that you gave the organisation a fair opportunity to put things right.
What the ICO actually is
The Information Commissioner's Office (ICO) is the UK's independent regulator for data protection and information rights. It can investigate organisations, order corrective action, and issue significant fines for serious or repeated violations.
Building a complaint the ICO can actually act on
- Your original request in writing — the email or letter where you explicitly asked for erasure (or raised whatever GDPR right applies), with the date clearly visible
- The organisation's response, or proof they didn't respond within the one-month window
- Your complaint to the organisation itself and their reply, showing you gave them a genuine chance to fix it first
- A clear, specific summary of what went wrong, in plain language — the ICO's own guidance says you don't need legal terminology or to quote the exact article of GDPR, just a clear explanation of what happened and what you think should have happened instead
How to file with the ICO
- Go to ico.org.uk/make-a-complaint.
- Confirm you've already tried to resolve it directly with the organisation first.
- Describe the issue clearly, in your own words, with the dates and evidence gathered above.
- Submit — the ICO will assess whether your case falls within its remit and follow up with you on next steps.
A realistic expectation of what happens next
Filing with the ICO doesn't guarantee an instant deletion or an apology from the company — the ICO investigates patterns and serious non-compliance, and its response timeline varies with the complexity and volume of complaints it's handling. What your complaint reliably does is create an official record that contributes to the ICO's picture of that organisation's practices, and in genuinely clear-cut cases (a straightforward erasure request ignored past the one-month deadline with no valid exemption), it gives you documented grounds to escalate further, including through the courts if it comes to that.