Legal update – What the New Data Protection Complaints Regime Means for Employers

 

From ICO to In-House: What the New Data Protection Complaints Regime Means for Employers

On 19 June 2026, a significant development in UK data protection law came into force under the Data (Use and Access) Act 2025 (DUAA), introducing a new statutory right for individuals, including employees, to raise data protection complaints directly with organisations. This marks an important shift in responsibility, as employers are now required not only to handle data appropriately but also to actively facilitate, manage and respond to concerns when they arise. Previously, many complaints were directed straight to the Information Commissioner’s Office (ICO), but the new framework places clear emphasis on resolving issues internally in the first instance.

One of the most notable aspects of the new regime is how broadly a data protection complaint may be interpreted. Employees do not need to use legal terminology or formally state that they are making a complaint. A simple comment such as “I’m not sure I’m comfortable with how my data is being used” or “I don’t think this is an appropriate use of my personal data” may be enough to trigger an employer’s legal obligations. Importantly, complaints can arise through any communication channel, including informal conversations, emails, HR discussions or even comments made to line managers. This means organisations must be particularly alert to recognising complaints in practice, rather than relying on formal processes or labels.

Under the DUAA, employers are now subject to a clear set of statutory duties in relation to complaints handling. Organisations must provide individuals with a way of making data protection complaints and ensure that this process is accessible and easy to use. Once a complaint is received, it must be acknowledged within 30 days. Employers are then required to take appropriate steps to investigate and respond without undue delay, which includes making reasonable enquiries and keeping the individual informed of progress. Finally, the organisation must communicate the outcome of the complaint without undue delay. While the legislation does not impose a strict deadline for completing an investigation, the expectation is that employers act promptly and proportionately, taking into account the complexity of the issue.

In practical terms, however, employers do not necessarily need to introduce an entirely separate or complex process in order to comply with these requirements. In many cases, a clearly drafted paragraph within an existing grievance procedure may be sufficient, provided it explicitly allows individuals to raise concerns about the use of their personal data and ensures those concerns are handled in line with the statutory requirements. The key consideration is not the format of the process, but whether it is accessible, clearly communicated, and capable of meeting the obligations to acknowledge, investigate and respond to complaints without undue delay.

This framework represents a clear shift away from the ICO being the starting point for complaints. Instead, employers must now demonstrate that they have effective internal systems in place to receive, manage and resolve concerns. In practical terms, this means having a clearly defined process, ensuring that it is communicated to staff and other individuals, and being able to evidence how complaints are handled in practice. The ICO has emphasised that organisations should make their complaints procedures easy to locate and understand, for example by including them within privacy notices or internal policies.

For employers, the implications are both operational and cultural. There is likely to be an increase in the number of concerns raised internally, particularly as employees become more aware of their rights. This places greater responsibility on HR teams, managers and anyone handling personal data to recognise potential complaints and respond appropriately. Training will be essential to ensure that staff understand what a data protection complaint looks like and how to escalate it. In addition, organisations should review their existing processes to confirm that they allow for complaints to be raised through different channels and that they provide a clear route for investigation and response.

Another key consideration is record-keeping and accountability. Employers should ensure they maintain clear records of when complaints are received, how they are assessed, what steps are taken during the investigation, and how and when outcomes are communicated. This is particularly important because failure to comply with the complaints-handling requirements may itself constitute a breach of data protection law. In other words, even if the original concern is unfounded, an organisation could still face regulatory scrutiny if it does not handle the complaint properly.

The ICO has published detailed guidance to support organisations in meeting these new obligations, offering practical advice on designing and operating a compliant complaints handling process. The guidance makes clear that organisations must have a process in place and that there are no exemptions from this requirement. It also provides flexibility in how this is achieved, recognising that businesses may adapt existing complaint systems rather than introducing entirely new frameworks.

How to deal with data protection complaints | ICO

In conclusion, the introduction of a statutory right to raise data protection complaints directly with employers represents a meaningful change in the UK’s regulatory landscape. It reflects a broader expectation that organisations take ownership of data protection issues at an early stage and deal with them effectively. For employers, this is not simply a matter of legal compliance but also an opportunity to build trust and transparency with employees by demonstrating that concerns are taken seriously and handled fairly.

More Posts

2026 Annual Awards Photos

Scottish Engineering Annual Awards 2026 Please contact us on 0141 221 3181 or email Aine MacKellar for high-resolution versions of these photos. Photo credit: Guy