Unless you frequent data protection or privacy circles, you may have no idea what The Data (Use and Access) Act 2025 (“DUAA“) is. To catch you up quickly, it’s UK legislation that received royal assent last year and is aimed at updating digital information and data protection regulations to promote innovation and economic growth.

The DUAA does a variety of things but a potentially significant change for employers came into effect on 19 June 2026. In short, all data controllers (which means all employers) are now subject to a new and potentially important procedural obligation: the requirement to have a formal process for handling data protection complaints.

At first glance, the change may appear relatively modest. In practice, however, it introduces a new statutory right for employees, workers and former employees to raise data protection complaints directly with their employer, together with corresponding obligations on organisations to investigate and respond appropriately.

For employers already grappling with increasing numbers of data subject access requests (“DSARs“), grievances, whistleblowing and data breach concerns (invariably generated on the fly by the AI platform of choice), this is another compliance process that needs to be built into existing HR and data protection frameworks.

The new regime is intended to encourage individuals to raise concerns with the relevant data controller before escalating matters to the Information Commissioner’s Office (“ICO“). Presumably this is to reduce the burden on the regulator, although the capacity of employers to cope with a further complaints process is highly questionable.

What the rules require is the introduction of a clear mechanism through which individuals can make data protection complaints directly to them. For employers, this means reviewing employee privacy notices and ensuring they expressly explain:

• that employees and former employees have the right to make a data protection complaint directly to the organisation; and
• how they can do so, including providing a clear point of contact such as a dedicated email address.

Many employee privacy notices already explain how individuals can contact the organisation regarding their personal data. However, the new requirements go further. Employers should ensure that privacy notices expressly refer to the right to complain and make the relevant process easy to find and use.

One of the most prescriptive aspects of the new regime is the requirement to acknowledge receipt of a complaint within 30 days.

This may sound straightforward, but organisations will need to ensure complaints are properly identified when they arrive. Employees will not necessarily label correspondence as a “data protection complaint”. A complaint about monitoring, retention of HR records, disclosure of personal information or handling of a DSAR could all potentially fall within scope.

As with DSARs, employers should ensure that HR teams, line managers and anyone likely to receive employee correspondence understand when an issue needs to be escalated to the organisation’s data protection lead or legal/compliance function.

Acknowledging the complaint is only the beginning. The legislation requires organisations to take appropriate steps to investigate complaints, make reasonable enquiries and keep complainants informed of progress, before ultimately communicating the outcome without undue delay.

The extent of any investigation will depend on the nature of the complaint. Some matters may be capable of swift resolution. Others may require a more detailed review of internal systems, historic decision-making, data retention practices or third-party disclosures.

This is where employers should be cautious about treating complaints as a mere administrative exercise. Just like with a regular employment grievance (such as a complaint of discrimination or harassment etc), a poorly handled investigation may create additional risk, particularly where the complaint touches on wider employment issues such as less favourable treatment, whistleblowing concerns or internal processes such as flexible working requests or disciplinaries etc.

Obtaining legal advice at an early stage can help employers assess the underlying complaint, preserve privilege where appropriate and ensure that any response is both legally compliant and strategically sound.

The ICO’s guidance confirms that organisations should take steps to verify the identity of complainants before disclosing information or discussing matters that involve personal data.

Employment-related complaints will often be easier to manage than customer-facing complaints in this regard. Current employees can usually be verified through existing employment records, while former employees can often be verified using personal contact details already held on file.

That said, employers should still apply a degree of caution. As with DSARs, organisations should be satisfied that they are corresponding with the correct individual before discussing personal data or providing detailed responses.

Perhaps the most important point for employers is understanding the policy objective behind the new regime.

The Government and the ICO are seeking to encourage organisations to resolve data protection concerns themselves, rather than forcing individuals to go straight to the regulator. The obvious consequence is that employers who fail to engage properly with complaints may find themselves facing not one issue but two.

An employee may complain to the ICO about the underlying data protection concern. They may then separately complain that the employer failed to comply with its statutory obligations to acknowledge, investigate and respond to the complaint appropriately. In other words, a poor complaints process can become a regulatory issue in its own right.

While it remains to be seen how robustly the ICO will enforce these new provisions in practice, it is difficult to imagine the regulator taking a favourable view of organisations that fail to implement even the most basic complaint-handling procedures, particularly given that the new framework has been introduced specifically to reduce unnecessary regulatory escalation.

With the new requirements now in force, employers should consider taking the following steps:

• review and update employee privacy notices;
• establish a dedicated route for data protection complaints to be submitted;
• ensure HR and management teams understand how to identify and escalate complaints;
• create a documented process for acknowledgement, investigation and response;
• align complaint handling procedures with existing grievance, whistleblowing, DSAR and data breach processes; and
• ensure appropriate legal support is available for more complex or high-risk complaints.

As with many data protection developments, organisations that prepare early are likely to find compliance relatively straightforward. Those that do not may discover that what starts as a simple employee concern quickly develops into a more complicated engagement with the ICO.

If you would like advice on updating your employee privacy notices, designing a complaints-handling process or responding to a data protection complaint, Wiggin’s Employment and Data teams would be happy to help.