Tue 30 Jun 2026

New Data Protection Complaints Requirements for Employers

The new requirements are intended to both reduce the regulatory burden on the Information Commissioner's Office ("ICO") and make the process of raising complaints faster for complainants.

The Data (Use and Access) Act 2025 introduces a new requirement for organisations that process personal data to implement formal procedures enabling individuals to raise data protection complaints directly with the organisation before the matter is escalated to the ICO. For employers, this means that employees should have a clear and accessible way to raise concerns about how their personal data has been collected, used, stored or shared. The requirements came into force on 19 June 2026.

The new regime

Under the new regime, employers are expected to implement procedures enabling individuals to make a "data protection complaint". This is a broad concept, including infringements relating to subject access requests, security measures used to store information, the use of monitoring technologies and how personal information is collected or used, to name a few.

If an organisation is unsure whether someone is making a data protection complaint, it should ask them to clarify.

The new requirements include obligations to:

  • Facilitate the making of data protection complaints, including providing an accessible means of submitting them.
  • Acknowledge complaints within 30 days of receipt.
  • Take appropriate steps to investigate and respond to complaints without undue delay.
  • Inform complainants of the outcome of the complaint without undue delay.
  • Maintain adequate records.

It is not necessary to set up a new procedure if there is an existing one that may be adapted. However, a complaint can be raised in any form and there is no obligation to follow the formal procedure. When a complaint is made, it must be accepted.

Guidance

The Information Commissioner's Office has published guidance, How to Deal with Data Protection Complaints, that sets out what needs to be done to meet the new requirements. This guidance confirms that employers must tell people of their right to complain at the point personal information is collected and when responding to a subject access request.

What should employers be doing?

If they have not already done so, employers should begin by reviewing existing data protection and employee relations procedures. In particular, employers should consider whether their current policies and employee privacy notices clearly explain how data protection complaints can be raised and how they will be handled and whether appropriate systems are in place to record and monitor complaints.

Employers will need to ensure relevant staff can recognise a data protection complaint and know how to respond if they receive one. Given the breadth of possible complaints and the numerous different ways in which complaints can be made, employers should consider whether HR and management teams require training on the new requirements and the procedure that has been put in place.

A clear, documented process, whether new or adapted, will not only assist with compliance but may also help resolve issues quickly before they develop into formal regulatory complaints.

Our data protection team can assist employers with training, updating privacy notices and policies and preparing complaints procedures.

Make an Enquiry

From our offices we serve the whole of Scotland, as well as clients around the world with interests in Scotland. Please complete the form below, and a member of our team will be in touch shortly.

Are you contacting us as an individual or business? *


Are you an existing client? *


How would you like us to contact you?


Morton Fraser MacRoberts LLP will use the information you provide to contact you about your inquiry. The information is confidential. For more information on our privacy practices please see our Privacy Notice