The Data (Use and Access) Act 2025 introduces a new requirement for organisations that process personal data to implement formal procedures enabling individuals to raise data protection complaints directly with the organisation before the matter is escalated to the ICO. For employers, this means that employees should have a clear and accessible way to raise concerns about how their personal data has been collected, used, stored or shared. The requirements came into force on 19 June 2026.
The new regime
Under the new regime, employers are expected to implement procedures enabling individuals to make a "data protection complaint". This is a broad concept, including infringements relating to subject access requests, security measures used to store information, the use of monitoring technologies and how personal information is collected or used, to name a few.
If an organisation is unsure whether someone is making a data protection complaint, it should ask them to clarify.
The new requirements include obligations to:
- Facilitate the making of data protection complaints, including providing an accessible means of submitting them.
- Acknowledge complaints within 30 days of receipt.
- Take appropriate steps to investigate and respond to complaints without undue delay.
- Inform complainants of the outcome of the complaint without undue delay.
- Maintain adequate records.
It is not necessary to set up a new procedure if there is an existing one that may be adapted. However, a complaint can be raised in any form and there is no obligation to follow the formal procedure. When a complaint is made, it must be accepted.
Guidance
The Information Commissioner's Office has published guidance, How to Deal with Data Protection Complaints, that sets out what needs to be done to meet the new requirements. This guidance confirms that employers must tell people of their right to complain at the point personal information is collected and when responding to a subject access request.
What should employers be doing?
If they have not already done so, employers should begin by reviewing existing data protection and employee relations procedures. In particular, employers should consider whether their current policies and employee privacy notices clearly explain how data protection complaints can be raised and how they will be handled and whether appropriate systems are in place to record and monitor complaints.
Employers will need to ensure relevant staff can recognise a data protection complaint and know how to respond if they receive one. Given the breadth of possible complaints and the numerous different ways in which complaints can be made, employers should consider whether HR and management teams require training on the new requirements and the procedure that has been put in place.
A clear, documented process, whether new or adapted, will not only assist with compliance but may also help resolve issues quickly before they develop into formal regulatory complaints.
Our data protection team can assist employers with training, updating privacy notices and policies and preparing complaints procedures.