Data Protection Complaints: What Employers Must Do

Data Protection Complaints What Employers Must Do

Introduction

From 19 June 2026, every UK employer has a new legal duty to handle data protection complaints. Individuals can now complain directly to your business about how you handle their personal information, and you must have a process to receive, investigate and respond to them. The duty comes from the Data (Use and Access) Act 2025.

Many businesses already know GDPR and subject access requests (DSARs). This is not more of the same. It is a new duty, separate from those rules, and it needs to be taken just as seriously.

This applies to businesses of every size. Many smaller employers assume data protection duties only apply once they reach a certain size. They do not. The Information Commissioner's Office (ICO) is clear there are no exemptions: if you process personal data, you need a complaints process. If you employ even one person, this applies to you.

Who can complain, and who hears it first

The right is not limited to your staff. Any individual whose personal data you hold can complain, which includes customers, clients, suppliers and job applicants as well as employees. That said, for most employers the workforce is where a complaint is most likely to surface first.

That puts HR and managers on the front line. If you employ people, you probably already deal with employees asking for the data held on them, often when a dispute is brewing. A data protection complaint is a step beyond that: instead of "show me what you hold", it says "you have not handled my information properly". Your managers are likely to be the first to hear it, which makes it a people and management issue as much as a technical one.

What has changed?

Before 19 June 2026, an individual who believed their data had been mishandled could complain to the ICO. Many organisations also dealt with concerns informally when employees or customers raised them. There was, however, no specific legal requirement to run a formal data protection complaints process.

That position has now changed. Individuals have a statutory right to complain directly to the data controller, which includes their employer, about how their personal data is processed. Alongside that right, your business must have appropriate procedures to handle those complaints. The existing route of complaining to the ICO still stands, but the aim is to encourage people to raise concerns with you first.

What employers can expect

The change reflects a wider goal: to have organisations resolve concerns directly, before they reach the regulator. For employers, the practical effect is straightforward. As awareness of the new right grows, you can expect more employees to question how their personal data is collected, shared, monitored and kept.

In the past, concerns like these mostly surfaced during a dispute. The new right may change that. You could hear from employees who are not in any dispute at all, but who simply want to know what you are doing with their data, and some of those questions will become complaints. A clear process helps you deal with them well, and reduces the chance of a concern escalating to the ICO.

What counts as a data protection complaint?

A complaint does not need to be formal. According to ICO guidance, a person does not have to mention UK GDPR, quote the legislation, or even use the word "complaint" for your duties to apply. They simply need to suggest that you have handled their personal information improperly.

In practice, that means everyday comments may count. For example:

  • "I don't think you should be using my information like that."
  • "Why has that been shared with other people?"
  • "I don't think you've handled my data properly."

Each of these could trigger your obligations. As a result, managers and HR teams need to stay alert during routine conversations, investigations, exit interviews and performance discussions. In an employment setting, the concerns raised often touch monitoring, references, how long records are kept, or who has had sight of someone's file.

When a concern is not a complaint

There is an important distinction to keep in mind. A concern only counts as a data protection complaint when it is about how personal data has been handled. If an employee raises a grievance about a workplace issue and, separately, asks for copies of their data, the grievance itself is not a data protection complaint. Where you are unsure, the ICO advises you to ask the person to clarify what they mean.

What employers must now do

The ICO lists four core duties. You must:

  • give people a clear way to make a data protection complaint;
  • acknowledge a complaint within 30 days of receiving it;
  • take appropriate steps to investigate and respond without undue delay, keeping the person informed; and
  • tell the person the outcome once you have finished.

You also need to explain the right to complain in your privacy notices, and keep records of the complaints you receive and how you dealt with them. None of this necessarily requires a brand new system. In many cases you can build it into your existing complaints, HR or privacy procedures, provided those clearly explain how someone can raise a concern.

One point deserves particular attention. A failure to follow these procedural steps can itself be a breach of data protection law, regardless of whether the original complaint turns out to be justified. Put simply, mishandling the process is a problem in its own right.

How is this different from a subject access request?

Many employers already handle Data Subject Access Requests (DSARs), but a complaint is a different thing. A DSAR is a request for access to personal data. The person is asking, in effect: "What information do you hold about me?"

A data protection complaint, by contrast, is about how that information is being used, shared, retained or otherwise processed. Here the person is saying: "I don't think you're handling my information properly." The two can overlap, but they are separate rights with separate obligations. For more on the access side, our guide to DSARs and employee data requests explains how to respond to those.

What employers should do now

The new regime is a good prompt to review your data protection arrangements before a complaint arrives. Practical steps include:

  1. Review your privacy notices and data protection policies, and add the right to complain.
  2. Update your complaints and grievance procedures so they cover data protection concerns.
  3. Set up a clear internal escalation route, so staff know who to pass a concern to.
  4. Train managers and HR to recognise a data protection complaint when they hear one.
  5. Keep records of complaints received and how you handled them.
  6. Decide who is responsible for investigating, so nothing slips through.

It is also worth checking whether your current complaint-handling process can actually meet the 30-day acknowledgement and the duty to respond without undue delay. If it cannot, now is the time to put that right.

How we can help

Getting this right is mostly about good process and well-briefed managers, and that is where outside HR support earns its place. Bespoke HR can review and update your HR policies and procedures and privacy notices so they reflect the new duty, and bring your grievance procedure into line with the complaints process. We can also train your managers to spot a data protection complaint early and handle it calmly, which is often where these situations go wrong.

If you would rather have experienced people on hand when a difficult complaint comes in, our ongoing HR support for SMEs gives you that backing without the cost of an in-house team. Whatever the size of your business, we can help you put a proportionate process in place and keep it working.

Final thoughts

The new complaints duty looks modest on paper, but it shifts where data protection sits day to day. From now on, an offhand remark about personal information can carry legal weight, and the response needs to be documented. Treat these complaints much as you would a grievance: take them seriously, follow a clear process, and keep a record. Put that in place now, and you will handle these concerns with confidence rather than scrambling when the first one arrives.

Frequently asked questions

When did the new data protection complaints rules come into force?

The rules apply from 19 June 2026, under the Data (Use and Access) Act 2025. They cover complaints your business receives on or after that date.

Does this apply to small businesses?

Yes. The ICO has confirmed there are no exemptions. Any organisation that processes personal data must have a data protection complaints process, whatever its size.

Who can make a data protection complaint?

Anyone whose personal data you process. That includes your employees, but also customers, clients, suppliers and job applicants. The right is not limited to your staff.

How quickly must we respond to a data protection complaint?

You must acknowledge a complaint within 30 days of receiving it. You must then investigate, respond and tell the person the outcome, all without undue delay.

What counts as a data protection complaint?

It is any time someone suggests you have mishandled their personal information. They do not need to mention the law, quote UK GDPR or call it a complaint. If you are unsure, ask them to clarify.

Is a grievance the same as a data protection complaint?

Not automatically. A grievance only becomes a data protection matter when it concerns how personal data has been handled. A workplace grievance raised alongside a data request is not, by itself, a data protection complaint.

How is a complaint different from a subject access request?

A subject access request asks what data you hold about a person. A complaint challenges how you have used, shared or stored it. They are separate rights with separate duties.

What happens if we get the process wrong?

Failing to follow the required steps can itself breach data protection law, even where the original complaint was not justified. That is why a clear, documented process matters.

Can individuals still complain to the ICO?

Yes. The right to complain to the ICO remains. The new rules are designed to encourage people to raise concerns with your business first.

Written by:

Ian King
Company Director - Since 2005, Ian has co-owned Bespoke HR with Alison, the company’s founder. In 2012, he became Company Director and gradually focused more of his time on the business, and has now transitioned fully to Bespoke HR. He applies his technical and business experience to help manage and grow the company, focusing on finance, marketing, commercial strategy, IT, and process improvement and automation.