How UK Businesses Can Respond To Bad Reviews: Defamation & GDPR Risks

Getting bad reviews can feel personal - especially when you’ve poured time, money and energy into your business and you’re trying to do right by customers.

But from a legal perspective, what matters is how you respond. A rushed reply can create bigger problems than the review itself, including defamation disputes, UK GDPR complaints, or accidentally breaching confidentiality.

This guide breaks down how UK businesses can handle bad reviews calmly and commercially, while keeping an eye on the key legal risks (and knowing when it’s time to escalate).

Important: This article is general information, not legal advice. The right approach depends on your facts, the platform involved and the wording of the review.

Why Bad Reviews Matter (And When They Become A Legal Issue)

Most of the time, bad reviews are just that: negative feedback you can learn from, respond to, and move on.

Where things get tricky is when a review:

• includes serious allegations (e.g. fraud, theft, discrimination, unsafe practices);
• identifies staff members by name or shares private details;
• is posted by someone who was never a genuine customer (fake review);
• contains threats or harassment; or
• prompts you to “set the record straight” by disclosing personal data.

At that point, you’re no longer dealing with customer service alone - you’re dealing with reputational risk plus potential legal exposure.

Common Legal Areas Triggered By Negative Reviews

In the UK, disputes around reviews usually touch one or more of the following:

• Defamation (libel): where a written statement harms reputation and is not defensible.
• Data protection (UK GDPR and the Data Protection Act 2018): where personal data is disclosed or mishandled.
• Confidentiality: where you share private communications (emails, messages, call recordings) without a lawful basis.
• Consumer protection: if your response (or wider review practices) could be misleading, unfair, or put pressure on customers in a way that undermines trust.

If you want a broader, practical view of how to handle reputational issues without inflaming the situation, bad online reviews are worth treating as a process problem (not just a one-off annoyance).

First Steps: A Safe, Practical Response Plan For Bad Reviews

When you spot a negative review, your first job is to slow things down. The most expensive mistakes happen when a business responds emotionally, publicly, and with too much detail.

Step 1: Preserve The Evidence

Before anything else:

• take screenshots (including the reviewer name, date/time, star rating and full text);
• save any related emails, invoices, booking confirmations, and internal notes; and
• record the URL and platform details.

This helps if the review is later edited, deleted, or escalates to a formal complaint.

Step 2: Work Out What Kind Of Review This Is

Not all bad reviews should be treated the same. Ask:

• Is it genuine? Do your records show this person was a customer, client or attendee?
• Is it opinion or alleged fact? “I didn’t like it” is different from “They scammed me”.
• Does it mention personal data? Names, phone numbers, order numbers, medical information, images, CCTV stills, etc.
• Is it abusive or threatening? Some platforms will remove content that breaches their policies regardless of legal tests.

Step 3: Decide Your Goal Before You Reply

There are usually only a few sensible goals:

• reduce reputational harm (future customers are your real audience);
• move the conversation offline and resolve it;
• correct misinformation without escalating;
• request removal via the platform where appropriate; or
• escalate to a formal legal step in serious cases.

If your main goal is “winning the argument”, it’s a sign you should pause and re-draft.

Step 4: Use A “Low Detail, High Professionalism” Response

A safe public reply is usually:

• brief;
• polite;
• non-accusatory;
• non-specific about the customer’s circumstances; and
• invites contact via an official channel.

Example response (adapt to your business):

“We’re sorry to hear you felt disappointed. We’d like to look into this properly - please contact our team at with the details of your booking/order so we can review what happened and see if we can resolve it.”

This approach reduces the risk of disclosing personal data and avoids making statements that could escalate into a defamation dispute.

Defamation And Bad Reviews: What You Can Say (And What You Should Avoid)

Defamation is one of the most talked-about legal risks with bad reviews, but it’s also one of the most misunderstood.

In simple terms, a defamatory statement is a false statement published to a third party that causes (or is likely to cause) serious harm to reputation. Online reviews can qualify as “publication”.

Opinions Are Often Lawful - But Allegations Of Fact Can Be Risky

Reviews commonly mix opinion and alleged fact. Examples:

• Low risk (usually opinion): “Rude service. I won’t be back.”
• Higher risk (alleged fact): “They lied about the price and overcharged me on purpose.”
• High risk (serious allegation): “This business is committing fraud” or “They are unsafe and should be shut down.”

Even if you believe the reviewer is wrong, responding publicly with your own accusations can create a messy dispute where everyone loses time and control of the narrative.

What Businesses Should Avoid Saying In Public Replies

When you respond to a review, avoid:

• Calling the reviewer a liar (even if you think it’s true).
• Threatening legal action immediately (it often inflames, and can look heavy-handed if the review is just negative opinion).
• Making new allegations (e.g. “You were drunk”, “You tried to scam us”, “You’re a competitor”).
• Posting “proof” that includes private info (emails, booking details, phone numbers, addresses, CCTV images).

If you want to understand how a business can respond when they believe a statement is genuinely damaging and untrue, a solicitor’s letter style approach (measured, evidence-led) is often more effective than a public back-and-forth.

When Can You Ask For Removal?

Removal depends on the platform’s policies and the legal context, but it’s more realistic when the review is:

• clearly fake (no record of the customer);
• abusive, threatening, discriminatory or harassing;
• includes personal data (the reviewer’s or your staff’s);
• contains serious allegations stated as fact with no basis; or
• part of a pattern (e.g. multiple reviews from the same source).

Practically, your best chance of removal is often to frame your request in the platform’s terms (policy breaches), while keeping legal points ready if needed.

GDPR And Privacy: Don’t “Defend Yourself” By Sharing Personal Data

One of the biggest traps with bad reviews is the urge to defend your business by sharing “receipts”.

In the UK, UK GDPR and the Data Protection Act 2018 apply when you process personal data (including disclosing it publicly in a review response).

What Counts As Personal Data In A Review Dispute?

Personal data is broadly any information that identifies a person (directly or indirectly). In a review context, this can include:

• names (including staff names, depending on the context and whether the person can be identified);
• email addresses or phone numbers;
• order numbers, booking references, invoices;
• images or CCTV stills;
• medical or accessibility information; and
• details that “piece together” identity (e.g. “the person who came in at 3pm with X issue”).

Even something as basic as whether a person is a customer can be personal data depending on the circumstances.

If you’re unsure what counts, it’s worth treating work contact details and customer identifiers cautiously - work email addresses can still be personal data under GDPR in many scenarios.

A Safer Rule: Keep Public Replies “Data-Light”

In most cases, your public response should not confirm:

• that the person is (or isn’t) your customer;
• what they bought;
• what happened in detail; or
• anything about their behaviour, health, finances or complaint history.

Instead, invite them to contact you through an official channel so you can investigate privately.

Be Careful Sharing Screenshots, DMs, Or Private Messages

Businesses often feel tempted to post screenshots of messages to “prove” they’re right. That can backfire quickly.

If those messages include personal data (almost always) or were shared in confidence, you could expose your business to complaints and reputational damage - and in some cases, legal consequences.

This is especially important if you’re considering reposting private conversations publicly; private messages are rarely safe to publish as a form of “public defence”.

Data Retention: Don’t Keep Review “Dossiers” Forever

If you start collecting evidence about reviewers (screenshots, internal notes, correspondence), remember that GDPR requires you to keep personal data only as long as necessary for the purpose you collected it.

That doesn’t mean you can’t keep records - it just means you should have a sensible retention approach, particularly if your staff are saving content across devices and inboxes. As a general reference point, data retention should be documented and consistent, not ad hoc.

Do You Need A Privacy Policy For Review Handling?

If you’re collecting customer data (even just via contact forms) and you’re using it to manage complaints and reputation issues, you should make sure your privacy information is accurate and up to date.

That usually means having a clear Privacy Policy that explains what you collect, why you collect it, who you share it with, and how long you keep it.

Recording Calls, CCTV And “Proof”: What You Need To Think About Before You Use It

Sometimes a review dispute isn’t just about words - it’s about evidence. Maybe you have CCTV, a phone call recording, or an email chain that shows what really happened.

Even if you’re confident the evidence supports your business, you still need to use it carefully - especially because recording and using this material will usually involve privacy, data protection and (sometimes) confidentiality considerations.

Call Recordings

Many businesses record calls for training and quality purposes. Using recordings to respond to bad reviews raises two issues:

• Privacy and data protection: call recordings are personal data and you’ll generally need a lawful basis to collect and use them, plus appropriate transparency (for example, telling callers).
• Disclosure risk: sharing the content publicly is rarely appropriate, even if it “proves” your point.

If you’re considering recording calls (or already do), make sure you understand the rules around recording conversations - particularly notification, purpose limitation, and how recordings are stored and accessed.

CCTV Footage

CCTV can be helpful for investigating what happened on-site. But publishing stills or footage to “name and shame” a reviewer is a high-risk move.

As a starting point, if you operate CCTV, ensure you’re thinking about signage, lawful basis, retention, access control and how to handle requests. For many businesses, it’s also worth checking whether your setup falls into higher-risk territory (for example, audio recording or areas where people expect more privacy). The legal compliance around workplace cameras is often relevant even for customer-facing premises.

A Simple Guiding Principle

If you’re thinking of publishing evidence, ask:

• Would a reasonable customer see this as professional - or as retaliation?
• Does it reveal personal data?
• Could it identify staff members or customers?
• Could it breach confidentiality or platform policies?

In most cases, evidence should be used privately: for internal investigation, platform takedown requests, insurers, or your solicitor - not as content for a public reply.

When (And How) To Escalate Bad Reviews Without Making Things Worse

Not every negative review deserves escalation. But some situations do need a stronger response - especially where there’s a genuine threat to your business.

Option 1: Take It Offline And Resolve It

Commercially, this is often the best outcome. If you can solve the underlying issue, you may get an updated review or at least reduce ongoing friction.

Keep the tone calm and structured:

• acknowledge the concern (without admitting liability too early);
• ask for key details;
• offer a reasonable pathway to resolution; and
• document the outcome internally.

Option 2: Make A Platform Report Or Removal Request

Where the review breaches platform rules (abuse, hate speech, fake review patterns, personal data), reporting can be effective.

Keep your request factual and evidence-based. Avoid lengthy emotional explanations - and don’t include more personal data than you need to.

Option 3: Send A Formal Letter

Where a review contains serious, damaging allegations presented as fact (and you have evidence it’s false), a carefully drafted letter can be appropriate.

This might request that the reviewer:

• removes or amends the review;
• stops publishing the allegations;
• confirms they won’t repeat the statement; and/or
• provides an undertaking (in serious matters).

The key is getting the tone and content right. An aggressive message can create more reputational damage, and a poorly drafted threat can undermine your position.

Option 4: Consider Your Wider Risk Controls

Sometimes the best response to bad reviews isn’t legal escalation - it’s tightening systems so the same complaint doesn’t keep appearing.

Depending on your business, that might mean:

• clearer refund/returns wording and complaint handling processes;
• stronger staff training and escalation pathways;
• better recordkeeping; and
• updating customer-facing terms, policies and privacy information.

If you’re growing and getting more public feedback, it’s also a good time to check that your internal policies match what you do day-to-day - especially around privacy and communications.

Key Takeaways

• Bad reviews aren’t just a reputational issue - they can create legal risk if you respond with accusations, threats or personal data.
• Preserve evidence first (screenshots, order records, internal notes) so you’re not scrambling later if the review changes or escalates.
• Keep public responses brief and professional, and move the discussion offline wherever possible.
• Avoid defamation traps by not making counter-allegations in public and not calling a reviewer a liar - even if the review is unfair.
• GDPR is a major issue in review disputes - don’t share emails, booking details, CCTV stills, or private message screenshots to “prove” your side.
• Escalate strategically: platform reports for policy breaches, and formal legal steps only where there’s serious, provably false and damaging content.

If you’d like help responding to bad reviews in a way that protects your business (and keeps you on the right side of defamation and GDPR), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.