On 19 June 2026, under the Data (Use and Access) Act 2025, a new statutory right for employees and other individuals to raise data protection complaints directly with their employer, came into force.
Employees do not need to use legal terminology or even describe their concern as a ‘complaint’. A simple statement such as, ‘I don’t think you should be using my information in that way’, may trigger an employer’s obligations.
Organisations will be under a positive obligation to facilitate and manage data protection complaints. They must:
a. Give individuals a way of making data protection complaints to them;
b. Acknowledge complaints within 30 days of receipt;
c. Take appropriate steps to respond without undue delay; and
d. Inform the complainant of the outcome without undue delay.
Failure to comply could itself amount to a breach of data protection law. This new obligation represents a notable shift in responsibility. Previously, many data protection disputes went straight to the Information Commissioner’s Office (ICO).
Now, employers must demonstrate that they have effective systems for receiving, investigating and resolving concerns internally.