In data-driven workplace environments, employees are keen to understand how employers use their personal data. The Data (Use and Access) Act 2025 (DUAA) has introduced a statutory requirement for data controllers, including employers, to operate a data protection complaints process. Individuals now have a corresponding new right to complain directly to a controller when they believe the controller has infringed its obligations under the UK GDPR in respect of their personal data. This new “right to complain” is additional to existing individual rights such as the right to access personal data, and this change comes at a time when data protection issues are becoming increasingly intertwined with grievances, whistleblowing complaints, and employment tribunal claims.
The deadline for implementing a complaints process was 19 June 2026, but the good news for any organisation not across this deadline is that they may be able to use many of their existing complaints-handling tools for this purpose.
The DUAA requires organisations to:
As employees make greater use of data subject access requests (DSARs) in the context of grievances and tribunal litigation, data protection rights are playing a more prominent role in workplace disputes.
While the practical impact of this new requirement remains to be seen, establishing a robust internal complaints process could give employers an opportunity to identify and resolve data protection concerns quickly before positions become entrenched. This may reduce the likelihood of complaints being escalated to the Information Commissioner’s Office (ICO) or raised in the context of tribunal proceedings.
The ICO has made clear that it will generally expect individuals to use an organisation’s complaints process before seeking regulatory intervention, giving employers a genuine chance to remedy any issues at an early stage.
Employers should take immediate steps to do the following:
Although the new complaints process is procedural, employers should not underestimate its significance. Organisations that can identify and resolve concerns quickly are likely to reduce regulatory risk, improve employee trust, and be better placed to manage workplace disputes involving data protection complaints. For a detailed analysis of the new statutory requirements and practical compliance steps, please refer to our article.