Skip to main content
Data protection

New data protection complaints rules: is your business ready?

June 30, 2026

Not every data protection concern arrives on your desk labelled as one.

From 19 June 2026, new rules under the Data (Use and Access) Act 2025 mean organisations must make it easier for individuals to complain directly about how their personal data is being handled.

This legislation may be new, but the trend isn’t. Employees are already using data protection rights more frequently in workplace disputes, and AI is making it easier than ever to produce sophisticated complaints in seconds.

That means employers are likely to see more complaints, that are more sophisticated, along with greater scrutiny of how they’re handled. The good news? For most organisations, this doesn’t require an overly complicated process.

Denise Almeida, Legal Adviser and data protection expert, shares her thoughts on how a few sensible updates to your policies, procedures and training will usually be enough.

What’s changed for data protection complaints?

Organisations now have a positive obligation to manage data protection complaints internally. In practice, employers must:

  • provide a way for individuals to raise data protection complaints;
  • acknowledge complaints within 30 days;
  • investigate and respond without undue delay; and
  • tell the individual the outcome without undue delay.

Importantly, employees don’t have to use legal terminology or even call something a “data protection complaint”. A simple, real-world comment like “I don’t think you should be using my data in that way” could be enough to trigger your obligations.

That’s why it’s important managers and people teams know how to recognise these concerns before they’re inadvertently treated as something else.

What could amount to a data protection complaint?

A complaint could relate to almost any aspect of how personal information is handled, including:

  • how a subject access request (SAR) has been dealt with;
  • delays or refusals to comply with an erasure request;
  • the use of employee, worker or applicant data;
  • workplace monitoring or CCTV;
  • AI or automated decision-making;
  • inaccurate personal data;
  • data breaches; or
  • personal information being shared with the wrong person.

Many of these issues won’t arrive with a neat ‘data protection complaint’ label attached. They’ll often land with your people team, payroll, managers or IT as what appears to be a general complaint or workplace concern. If those teams don’t recognise what’s really being raised, there’s a risk the organisation misses its legal obligations before the clock has even started.

Why does this matter for employers?

In our experience, data protection complaints rarely exist in isolation. They often overlap with wider workplace issues, including:

  • grievances;
  • disciplinary processes;
  • whistleblowing concerns;
  • discrimination complaints;
  • subject access requests; and
  • Employment Tribunal claims.

At the same time, AI is changing how employees approach workplace disputes. Rather than submitting a short email raising a concern or having an conversation, it’s becoming increasingly common for individuals to use AI tools to generate detailed complaints that reference legislation, ICO guidance and raise multiple issues at once.

That doesn’t necessarily mean the complaints have more legal merit, but they can take significantly more time to assess and respond to. Having a clear internal process will help employers deal with concerns consistently before they escalate to the ICO or become part of wider litigation.

Top tip – don’t overcomplicate it!

The legislation refers to an electronic complaints form as one example of how organisations might receive complaints, but it doesn’t require employers to build an elaborate new system. For most organisations, a more proportionate approach will be enough. We’d recommend including a dedicated section within your data protection policy explaining:

  • how individuals can raise a data protection complaint;
  • who complaints should be sent to;
  • how they’ll be acknowledged;
  • how they’ll be investigated; and
  • how the outcome will be communicated.

Keeping this separate from your grievance procedure will also help staff understand the difference between:

  • a workplace grievance;
  • a subject access request;
  • a data protection complaint; and
  • a report of a personal data breach.

Simple, clear processes are far more likely to be followed consistently than lengthy procedures that nobody remembers.

Practical steps for employers to take now

Update your data protection policy – Include a dedicated section explaining how individuals can raise concerns and how they’ll be handled.

Review your privacy notices – Privacy notices should explain that individuals can complain directly to your organisation before escalating concerns to the Information Commissioner’s Office.

Train people teams, managers and frontline staff – The biggest risk isn’t failing to investigate a complaint, it’s failing to recognise one in the first place. Staff should understand what a data protection complaint looks like, even where the individual doesn’t describe it as such, and know where to escalate it.

Review your template correspondence – Update template responses for subject access requests, erasure requests, rectification requests and data breach correspondence so they signpost the internal complaints process where appropriate.

Keep a complaints record – Maintain a record of complaints received, what was investigated, the outcome and any action taken. This will help demonstrate compliance if your processes are ever scrutinised.

How can we help?

Our Data Protection Toolkit includes practical guidance on identifying and managing data protection complaints, together with template policies, wording and response documents to help employers deal with issues consistently and efficiently.

We also provide practical training for HR teams, managers and staff so they can recognise data protection complaints early and respond appropriately before issues escalate.

If you’d like support reviewing your data protection documentation, updating your processes or training your teams, get in touch.

This update is accurate on the date it was published but may be subject to change which may or may not be notified to you. This update is not to be taken as advice and you should seek advice if anything contained within affects you or your business.

You May Also Like

Microchip with padlock image Data protection

What employers need to know about the Data (Use and Access) Act 2025

Charlie McHugh
Charlie McHughNovember 13, 2025
Unlocked padlock sitting on a laptop keyboard Data protection

Seven-year itch: GDPR compliance still going strong?

Charlie McHugh
Charlie McHughJune 5, 2025
Halborns | An Empowering People Group company - white logo

Simplifying
employment law

If you’re looking for employment law solutions, we’re the employment law experts for you. From drafting employment contracts and policies to defending clients at employment tribunal, our team of employment lawyers have got your back no matter what.

Get in touch
Links

About

Services

Resources

Careers

Connect

T: +44(0)115 7180333

E: info@halborns.com

© 2026 Halborns Limited. Registered in England and Wales. Registered number 8591720. Registered office Pioneer House, Pioneer Business Park, North Road, Ellesmere Port, CH65 1AD.

Complaints procedure

Privacy Policy

Tribunal process