New mandatory rules for businesses to deal with a data complaint
1 July 2026 · By Oliver Tasker

The Data (Use and Access) Act 2025 introduces new data protection complaint handling obligations for UK employers. Here's what you need to know and what steps to take now.
From 19 June 2026, employers across the UK face a significant new legal obligation under the Data (Use and Access) Act 2025 (DUAA): a statutory right for employees and other individuals to raise data protection complaints directly with their employer. If your business processes personal data (virtually every employer does) then this applies to you.
What has changed?
The new right means individuals can now make a complaint if they believe the controller has infringed the UK GDPR when processing their personal data. This applies to every UK employer, regardless of size meaning that if you process personal data, you need a complaints process.
Most importantly, individuals do not need to use legal terminology or even use the word "complaint." A straightforward comment such as "don’t use my data that way" is enough to activate your obligations. This is similar to an employee not having to use the word “grievance” when raising issues at work.
What are employers required to do?
Organisations must provide at least one accessible way for individuals to submit data protection complaints, take appropriate steps to investigate without undue delay, keep complainants informed, and inform individuals of their right to complain in their privacy notices. Complaints must be acknowledged within 30 days of receipt.
Complaints must be accepted regardless of how they are submitted, including via social media. The right isn't limited to staff either, it covers customers, clients, suppliers and job applicants too.
Practical steps for employers to take now
To comply with the Data (Use and Access) Act 2025, employers should:
Update employee privacy notices to confirm the right to raise data protection complaints directly with the organisation – when did you last read your privacy notice?
Introduce a formal, documented complaints handling process. You may be able to tweak your current policies. Given all the changes this year through the Employment Rights Act 2025, now is the time to review all your policies.
Set up a clear internal escalation route so staff know who to pass a concern to. Who is responsible in your organisation?
Train managers and HR to recognise a data protection complaint when they hear one. You can incorporate this into wider line manager training and the good news is we can help with this.
Coordinate with the Data Protection Officer to ensure complaints are logged, tracked and resolved. Always have a paper trail.
What happens if you don’t comply?
Simply put, this could amount to a breach of data protection law. Beyond regulatory risk, complaints that escalate to the ICO can be time consuming and carry significant reputational damage, particularly for smaller businesses where trust is everything.
Get Expert Employment Law Advice
Navigating data protection compliance alongside your day-to-day employment law obligations isn't straightforward. At Impact Employment Law, we help businesses put the right policies, procedures and training in place, so you're protected before a complaint ever arises.
Whether you need help reviewing your privacy notices, updating your grievance procedures, or training your managers to handle data protection concerns correctly, we're here to help.
Get in touch with Oliver Tasker today:
📞 Call: 01522 776270
✉️ Email: oliver@impactemploymentlaw.co.uk
Impact Employment Law Limited — Advice. Protection. Impact.
