Mark Farrell
Data Protection Consultant
Mark is a Data Protection Consultant at Data Protection People. He brings significant regulatory experience to the role having previously worked for the Information Commissioner’s Office (ICO).
This background, combined with a deep understanding of data protection law and awareness of emerging technologies, allows Mark to ensure optimal compliance solutions for DPP’s clients.
His focus is not only on helping clients build robust data protection frameworks that stand up to scrutiny, but on striking the right balance between protecting individuals’ data and allowing operations to flow smoothly.
Get to Know Mark
Mark primarily serves as an outsourced Data Protection Officer (DPO) for organisations across various sectors including financial services, healthcare and sport. He also features on the Data Protection Made Easy podcast.
He joined Data Protection People
in January 2026 from the ICO, where he gained invaluable experience in handling impactful information rights complaints, leading investigations into high-profile data breach incidents and reviewing international transfer arrangements.
As his work in international transfers focused heavily on binding corporate rules (BCRs), Mark has unrivalled insight into this transfer mechanism and is well versed in dealing with the large, multi-national corporations that use them. He is equally adept at supporting SMEs and organisations across both the public and private sector.
Alongside his professional endeavours, Mark has studied data protection and privacy law including in the context of emerging technologies such as AI, blockchain and FinTech. His commercial and technological awareness allows him to give specialist support to organisations in adopting new technologies in a compliant, ethical and responsible way.
Outside of work, Mark is a big football fan and follows his local team, Stockport County FC. He also enjoys training Brazilian jiu jitsu, keeping fit in the gym, travelling to new places and spending time with friends and family.
Experience
In addition to his professional experience in data protection, Mark has a strong academic background in Law, holding a first-class Bachelor of Laws (LLB) degree from the University of Sheffield which included a year spent studying European and International Law at the University of Ljubljana, Slovenia.
In 2025 he obtained an LLM (Master of Laws) with distinction from the University of Manchester, specialising in International Commercial and Technology Law and writing his dissertation thesis on optimising digital ID for market integrity and data protection in UK financial services. He received the Faculty of Humanities PGT Dean’s Award for Achievement as well as an Outstanding Achievement Award for Best Overall Performance across all LLM Programmes.
Mark is involved in the Digital Tech, Crime and the Law Forum jointly organised by the University of Manchester’s Digital Futures initiative and Indiana University Bloomington. He speaks at events on issues relating to data protection and emerging technology.
He is also a part-time Research Intern for the Cambridge Centre for Alternative Finance (CCAF), a research and education institution forming part of Cambridge Judge Business School, University of Cambridge. His contribution mostly centres on regulating data protection and digital ID in developing nations.
"The advantages of a strong data protection framework do not stop at avoiding regulatory sanctions, but in setting an organisation apart from its competitors as an ethical, responsible and trustworthy choice."
Mark Farrell
Data Protection Consultant
Mark's Posts
From the ICO to the Information Commission
From the ICO to the Information Commission: What the Change Really Means
By Mark Farrell, Data Protection Consultant at Data Protection People
In this article: Mark Farrell explores how the Data (Use and Access) Act (DUAA) 2025 will transform the ICO into the Information Commission, examining changes to governance, enforcement powers, accountability, complaints handling and what organisations should expect from the UK’s evolving data protection regulator.
With the Information Commissioner’s Office (ICO) announcing temporary governance changes in response to the ongoing workplace investigation into current Commissioner John Edwards, it seems an appropriate moment to delve into the permanent governance changes that are set to take effect under the Data (Use and Access) Act (DUAA) 2025 later this year (date yet to be confirmed).
The UK data protection regulator’s formal transition from the ICO to the Information Commission is a structural evolution that will not change the fundamental role and responsibilities of the regulator. The DUAA amends references to ‘Information Commissioner’ to the ‘Information Commission’ so all existing functions transfer over.
However, the change represents more than mere rebranding. The way the regulator is constituted, governed and held to account is changing in a significant way. The narrative around DUAA often focuses on the organisational perspective, reduction in regulatory burden, simplification of certain requirements and greater flexibility to process personal data, but what is the view for the regulator?
Towards Board Governance
Moving from a governance structure built around a corporation sole (the Information Commissioner) to a body corporate (the Information Commission) modernises the UK’s data protection regulator, bringing it into alignment with other domestic regulators such as Ofcom and the Competition and Markets Authority (CMA).
Whilst the Information Commissioner had the final say in decision making, once in place the Information Commission will operate with a board comprising the Chair of the Information Commission, a chief executive officer, and other non-executive and executive members who will share decision-making responsibilities.
The impact of this structural change will be to make the regulator less personality-led and more framework-led. A corporation sole should (in theory at least) offer decisiveness, but as we have seen, is also liable to make regulatory tone and emphasis dependent on one individual’s instincts, leading to data protection laws “varying with the length of the Commissioner’s foot.”
Data protection regulation in the current age requires not just authority, but governance, oversight and expertise. A board structure brings all three, as well as greater resilience, continuity in strategy and a broader range of perspectives. Having a wider range of views factored into the regulator’s approach aligns with the formal expansion of the ICO’s regulatory priorities under the DUAA.
Beyond Protecting Personal Data
The DUAA introduces a fresh strategic framework for the regulator when carrying out its functions, entailing a principal objective supported by several other key areas. The primary duty remains to secure an appropriate level of protection for personal data, alongside a new additional requirement to promote public trust and confidence in the processing of personal data.
The other factors outlined in the DUAA updates which the Commission must have regard for when undertaking its tasks and responsibilities are not new priorities per se but rather existing areas of focus for the ICO which now gain formal recognition and reinforcement as key areas that should be considered within the Commission’s overall remit including:
- the desirability of promoting innovation;
- the desirability of promoting competition;
- the importance of the prevention, investigation, detection and prosecution of criminal offences;
- the need to safeguard public and national security;
- the fact that children merit specific protection with regard to their personal data.
This broadening of official regulatory remit is in recognition of the data protection regulator’s role no longer being confined to data breaches and individual rights but increasingly entailing supervision across emerging areas of public concern such as artificial intelligence, children’s data, biometrics, online tracking, cross-regulatory coordination and the relationship between data protection, competition and innovation.
In addition to these expanded areas of focus is also the duty for the Commission to consult other regulators regarding economic growth, innovation and competition, which will presumably take place through the existing DRCF (Digital Regulation Cooperation Forum) which brings together the ICO, Financial Conduct Authority (FCA), Ofcom and the CMA (Competition and Markets Authority).
This signals a move away from data protection being treated as a standalone compliance issue and toward a more joined-up regulatory model in which privacy, competition, innovation and online safety are assessed alongside one another. In practice, this increases the likelihood of coordinated regulatory expectations, shared intelligence and scrutiny across regulators, meaning organisations may face a more consistent but also more demanding regulatory environment.
The Commission will be held accountable on this new remit by greater transparency requirements introduced by the DUAA, requiring the Commission to publish an annual analysis of its performance and report on regulatory action including the nature of investigations, time taken and powers used. Requiring the regulator to explain not only what it prioritises but how efficiently it uses its powers and resources is intended to create a more publicly accountable institution.
As well as factoring these considerations into its decision making, the Information Commission will also have a range of DUAA changes to oversee which are motivated by these considerations.
The Enforcement Forecast
The ICO’s recent enforcement track record has remained broadly aligned to the primary objective of protecting personal data, data rights and upholding public trust, with many headline sanctions pertaining to data security breaches, including the Capita, Advanced Computer Software, 23andMe and LastPass fines.
However, recent action taken against TikTok and Reddit centred on proactively protecting children’s data points to the ICO broadening its focus beyond data security breaches, reflecting the wider regulatory priorities formalised by the DUAA. Indeed, children’s data is best viewed not as one priority among many but as an increasingly cross-cutting theme across all the newly formalised regulatory priorities.
The extent to which the enforcement picture will change following the increased monetary penalties for PECR breaches, which brings this regime in line with the UK GDPR, is debatable.
It is likely that the threshold increase is focused on the deterrent effect, with the original threshold seemingly not providing enough in this regard.
The overall trend of enforcement action in recent years, despite the ICO’s public sector approach, has been upward and it is likely to continue on this trajectory, especially in view of the new enforcement procedural guidance which is set to replace the 2018 Regulatory Action Policy and will determine how the ICO operates in view of the expanded powers conferred by the DUAA.
Enhanced Evidence Gathering
The headline changes in terms of new ICO (and soon to be Information Commission) evidence gathering capabilities conferred under the DUAA are powers to:
- Compel production of specific documents
- Compel a witness to attend an interview
- Request technical reports
These powers strengthen the regulator’s evidence gathering tools in response to investigative challenges.
For the regulator, the power to mandate production of a report by an approved person at the cost of the organisation and with specific subject matter, form, manner and date of preparation, should free up capacity to investigate and sanction more organisations.
There is the potential for these reports to become more easily available to claimants than other internally produced equivalents, and one would suspect they could be highly advantageous for advancing legal claims.
Complaints: Lightening the Regulator’s Burden
The overall intention of the DUAA complaints changes is not only to increase the obligation and responsibility on organisations for resolving data protection complaints raised by individuals but to in turn reduce the burden placed on the ICO by the large volume of complaints made to it.
In tandem with the DUAA complaints changes, the ICO has published a new framework on how it handles complaints, targeted at more effectively managing the large and increasing volumes of complaints received.
The overall aim of the framework is to focus resources on cases where the ICO can have the biggest impact and where issues align with strategic priorities.
Conclusion
The government and the ICO have presented the DUAA as a reform package focused on promoting innovation, supporting growth and making compliance easier for organisations.
There is truth in that, the Act relaxes and clarifies certain requirements, for example around scientific research, recognised legitimate interests, cookies and automated decision-making, but the transition to the Information Commission shows that simplification is only half the story.
The other half is a regulator designed to be more strategically oriented, better equipped and more assertive in regulatory action.
Organisations, when taking advantage of the greater flexibility permitted by the DUAA, should be mindful that this freedom comes with a string attached, the regulator is better equipped to investigate and penalise should things go wrong.
Ultimately, this is not a shift from more regulation to less but from an older model of data protection oversight to a newer version that is board-governed, strategically accountable and more appropriately calibrated for the emerging pressures of AI, digital markets, children’s privacy and the increasingly sophisticated enforcement picture that follows.
Need Help Preparing for the DUAA?
The Data (Use and Access) Act introduces significant changes for organisations, regulators and data protection professionals. If you need support understanding your obligations, reviewing your compliance programme or preparing for the evolving regulatory landscape, our team can help.
Outsourced DPO Services | Data Protection Support Service | GDPR Audits | Contact Us
Mark Farrell is a Data Protection Consultant at Data Protection People. Mark specialises in UK GDPR compliance, information governance, regulatory developments and the practical application of data protection law. He regularly advises organisations on emerging legislative changes, enforcement trends and regulatory risk management.
For more discussions on UK GDPR, data protection and regulatory developments, explore the Data Protection Made Easy Podcast.
ICO Guidance on the DUA
ICO Guidance on the Data (Use and Access) Act (DUA): What You Need to Know
The Information Commissioner’s Office (ICO) has released guidance on handling data protection complaints in line with the requirements from the Data (Use and Access) Act (DUAA) which are set to come into force on 19 June 2026.
Whilst most of the reforms brought about by Part 5 of the DUAA took effect on February 5, organisations have longer to prepare for the complaint requirements and the ICO’s guidance supports organisations on achieving best practice ahead of time.
What does the DUAA change regarding data protection complaints?
Whilst the ICO has previously expected organisations to address data protection complaints received from individuals, this has not been backed up by any legal obligation.
Following the changes under the DUAA, individuals now have the legal right to submit a complaint to an organisation about the handling of their personal data and organisations must implement processes and procedures to facilitate this.
What are the key requirements for handling data protection complaints in line with the DUAA and ICO guidance?
The ICO’s latest guidance outlines the following key steps organisations must take to meet the complaint requirements under the DUAA:
- Provide individuals with a way of making data protection complaints;
- Acknowledge data protection complaints within 30 days of receipt;
- Take appropriate steps to respond to complaints without undue delay, including making appropriate enquiries and keeping complainants informed; and
- Provide people with complaint outcomes without undue delay.
For organisations with existing complaints procedures, only minor changes are likely needed to reflect the DUAA requirements, but organisations lacking an established complaints process will now be expected to implement a substantive procedure.
This article highlights the key areas of focus for organisations in preparation for the DUAA complaints provisions coming into force and summarises recommendations for best practice based on the ICO’s guidance.
What constitutes a data protection complaint?
Not every complaint that is linked to data protection matters constitutes a data protection complaint. Where an individual complains about an organisation’s services or other matters whilst also exercising data protection rights this does not count, e.g. an employee raises a grievance and at the same time makes a subject access request.
The ICO’s guidance clarifies that data protection complaints arise where an individual complains specifically about an organisation’s handling of their personal data, whether this be about the handling of a subject access request (SAR) or quality of data security.
As with other personal data rights requests, individuals do not have to use legal terms of quote the legislation to make a data protection complaint. Where unsure if an individual is making a data protection complaint, organisations should seek clarification.
What must we do to prepare for handling data protection complaints?
Give people a way to make complaints
The starting point is to ensure that your organisation gives people a way to raise a data protection complaint. The ICO’s guidance allows organisations flexibility to choose which channels are most approach, whether through a complaint form, email address, telephone number, online portal, live chat facility or in person (if operating offline).
There is no requirement to set up a separate tool for receiving data protection complaints and organisations can rely on existing complaints channels and adapt these to include data protection complaints. As per the ICO’s SAR guidance, individuals are not obliged to follow the set process and can complain using any method of their choice. Nonetheless having a set complaints process is important for accountability.
Organisations with online presence should also consider how to handle complaints received through social media and bear in mind that liaising with complainants through social media is not secure and an alternative contact method should be sought.
Those within the scope of the ICO’s Age Appropriate Design Code should satisfy the requirements for handling complaints from children outlined at standard 15 of the Code, ensuring children can easily make and escalate complaints.
Inform people of their right to complain
Organisations are already required to inform individuals of their right to submit a complaint to the Information Commissioner at the point of collection of their personal data through a privacy notice and also when responding to SARs.
Following the DUAA, organisations must now also inform individuals of their right to make a data protection complaint to the organisation itself. Organisations should update privacy notices accordingly to inform data subjects of their right to complain and the organisation’s complaints process including a contact point.
Those processing personal data for law enforcement purposes must also inform individuals of their right to complain at other junctures, including when refusing other rights requests.
Implement a complaints procedure
The ICO’s guidance makes clear that for best practice, organisations should implement a complaints procedure if they do not already have one. It should use plain language (avoid legal jargon), be published online and be made available to individuals at the earliest opportunity to ensure they are aware of how to raise complaints.
It is recommended that a written process includes the set method for receiving complaints; the supporting evidence needed to investigate; the proof of ID and third-party authority accepted as well as information on communicating timescales (acknowledgement within 30 days), updates and outcomes.
Whilst it is acceptable to integrate data protection complaints into overarching complaints procedures and a standalone process is not required, organisations must ensure outcomes are issued on data protection complaints without undue delay. So, when responding as part of a wider complaint connected to other issues, if able to provide an outcome on the data protection aspect sooner, you must do so.
Review record keeping and training
Guidance on record keeping reiterates not only the importance of having up to date, clearly organised and labelled systems so information can be found quickly and effectively, but also to provide evidence of the following:
- Date complaints were received
- Acknowledgements sent
- Relevant conversations and documents
- Complaint outcomes
- Actions taken as a result
Not only does strong record keeping support compliance with the Art.5(2) UK GDPR Accountability principle by demonstrating compliance should the ICO or other industry bodies investigate, it is also beneficial for identifying recurring trends and underlying compliance issues.
In terms of training, all staff should as part of their overall data protection training be brought up to speed on recognising data protection complaints and knowing where to direct complaints internally when received.
Review Joint Controller and Processor arrangements
For Joint Controllers, emphasis is on having transparent arrangements in place given the timescale starts as soon as the complaint is received by a Controller so all parties must be clear on what to do, including in terms of:
- whether to have a central point of contact for complaints,
- how to inform people of where to complain and
- responsibilities for investigating complaints and liaising with complaints.
Controller-Processor data processing agreements should cover arrangements for handling data protection complaints. The typical role of Processors remains to provide assistance, including on complaint investigations and by supplying relevant information, with Controllers retaining the obligation for complaint handling.
How do we ensure best practice in the end-to-end process?
Acknowledging the complaint
You must acknowledge receipt of a data protection complaint within 30 days and the ICO’s guidance clarifies that an auto-acknowledgement will suffice.
This timeframe begins the day after the complaint is received, even if this falls on a weekend or public holiday. However, if the last day to acknowledge falls on a weekend or public holiday, you have until the next working day.
A practical approach is emphasised, for instance there is no need to provide an acknowledgement and outcome separately if you are able to provide a complaint outcome within 30 days, or if contacting the complainant to ask for proof of ID an additional acknowledgement is not needed.
The same complainant ID and third-party authority verification protocols apply as for other personal data rights requests, meaning you should:
- seek proof of ID at the earliest opportunity if in doubt
- not request further evidence if already in possession of sufficient information
- verify third party authority by requesting power of attorney or a signed letter of authority from the complainant they are acting on behalf of; and
- abstain from investigating the complaint until valid authority is received.
Conducting the investigation
Organisations must make enquiries into data protection complaints without undue delay, starting from when the complaint is received and not after the 30 day acknowledgement period ends.
This process generally involves fact finding, speaking to relevant staff, comparing the complaint information with that held and checking if organisational standards were upheld, and the ICO’s guidance recommends asking the complainant for more information if necessary as well as managing their expectations.
The ICO’s guidance recognises that complaints will vary in complexity, scale and harm, meaning a blanket timeframe for resolving complaints is not expected. Instead, focus should be on the specific circumstances of the complaint (and your organisation) and making reasonable and proportionate enquiries based on this.
Providing updates and outcomes
Giving timely progress updates to complainants is emphasised in the ICO’s guidance, with the priority on explaining timeframes for resolution and any expected delays.
As with investigating complaints, outcomes must also be issued without undue delay, which according to the guidance means ‘without an unjustifiable or excessive delay.’ Outcomes should include explanation of steps taken to resolve the complaint and actions taken as a result, and where you think you have complied with data protection law this should be explained in detail.
An internal review process for complainants unhappy with the outcome is recommended. It is also best practice to inform individuals of their right to complain to the ICO, which individuals have the right to do so at any point notwithstanding any internal review process.
Conclusion
The complaints requirements introduced by the DUAA can be viewed as formalising what the ICO has long expected from organisations in terms of addressing data protection complaints. The standards emphasised in the ICO’s latest guidance on complaints largely mirrors those expected when handling other personal data rights requests.
Indeed, the ICO will be aiming for a reduction in the number of complaints brought to it following the DUAA changes. The regulator has an established policy of diverting complaints to organisations in the first instance where the issue has not previously been raised with the organisation directly, and it now has a legal basis for doing so.
This latest guidance also coincides with the ICO’s publication of its complaint handling framework which is centred on prioritising high-value cases where the ICO can have the most significant impact, an objective more realisable if less time can be spent on lower impact matters and those where internal complaints procedures have not been utilised.
Moving forward, organisations can expect to be held to a higher standard in terms of complaint handling. Not having formal procedures in place will amount to a breach of the DPA, may trigger complaints from data subjects and will be looked on with greater scrutiny by the ICO.
Implementing a formalised end-to-end data protection complaints procedure ensures best practice and will be looked on far more favourably by the ICO should any concerns be raised or investigations initiated. Data Protection People has already supported many organisations in this regard. If your organisation requires assistance in this area, please reach out to us.