swirly_lines_tcls
From 19 June 2026, a new statutory right for data subjects to complain directly to data controllers applies under the Data (Use and Access) Act 2025 (DUAA).

Data subjects can already do this, but this places it on a legal footing for the first time, and complainants must raise any issues with the controller in the first instance, before escalating it to the ICO, if necessary. This right applies to all data subjects and all data controllers – so there are implications for many organisations.

In this article we focus on the effect on employers, exploring how the new right to complain will affect a typical employment dispute, adding our observations, recommendations and insights as to how you can be more resilient and prepared for this new challenge.

The employment issue crystallises through a grievance

DSARs and grievances are distinct legal mechanisms serving different purposes, but they frequently interact in the employment context. Understanding that intersection is critical to managing risk effectively.

Over time, there has been a significant rise in the volume and complexity of grievances. A key recent factor is employee use of generative AI models, making grievances more frequent, more complex and usually much lengthier.

Employers should therefore approach these with much more caution and cut through the length to get to the real facts and the issues. With the rise in grievances, we expect more DSARs and complaints flowing from them to follow.

The impact of the Employment Rights Act 2025

Three key reforms under the Employment Rights Act 2025 (ERA 2025) will significantly affect the grievance, DSAR and claims landscape.

Firstly, the extension of the Employment Tribunal claim filing time limit from three months to six months gives employees a longer window in which to submit DSARs during early conciliation and before filing a claim. This increases the likelihood that DSARs and ACAS processes will run concurrently.

Secondly, the reduction in the qualifying period for unfair dismissal claims means more employees will have statutory protection from an earlier stage of employment, expanding the pool of employees with standing to bring claims and, consequently, with incentives to deploy DSARs tactically for their advantage.

Thirdly, the removal of the statutory cap on unfair dismissal compensation creates higher financial exposure for employers if disputes are not resolved, giving employees greater leverage and making DSARs a more attractive tool in their dispute strategy toolkit.

We expect to see a significant increase in the volume and frequency of DSARs in the employment context due to the cumulative effect of these reforms.

Protecting your position in DSARs: Privilege and Third-Party privacy

Given that a grievance is highly likely to accompany a DSAR and, in future, a complaint under the new statutory right to complain, employers need to consider how to address this. Two key areas demand particular attention.

Legal Professional Privilege

Employers should apply legal professional privilege properly in the grievance context and utilise this valid exemption only where the test for privilege is met.

For example, investigation reports conducted by external third parties (including lawyers acting in an open investigatory manner) are not always protected by legal privilege and are sometimes conducted on an open basis. It is therefore important to be clear at the outset of an investigation about whether privilege will apply, so as to understand whether the report might need to be disclosed to the employee further down the line.

Third Party Personal Data

Employers also need to consider whether information about third parties might later become disclosable under a DSAR or in tribunal proceedings. This often arises when taking witness statements from colleagues during a grievance investigation. An employer might choose not to disclose those statements because they have been obtained confidentially or because the witness has asked to remain anonymous. Before a DSAR and a complaint are made, an employer needs to consider whether the privacy of those third parties genuinely outweighs the employee's right to see information which is about them.

An employer does not have to disclose personal data in response to a DSAR to the extent that doing so would involve disclosing information relating to another individual, unless that individual has consented or it is reasonable to disclose without consent. How these rules apply depends heavily on context. Redacting the name of the third-party witness and other identifying information may enable the employer to provide at least some of the information sought without needing consent, however, it is important to remember a third party may remain identifiable even after redaction by what they said or the way that they said it.

It is important to get this right, as an employee will likely complain about redactions or perceived failures to disclose and employers will need to feel confident in their position. We recommend that all redactions are accompanied in your internal records by relevant and specific reasoning, with reference to applicable exemptions. 

The DSAR Lands: Top handling tips

When a DSAR is received, employers need to manage it carefully with an eye to later scrutiny and challenge. For more information see our top tips for handling employment dispute DSARs and the differences between personal data released through a DSAR and Employment Tribunal disclosure requirements. Read here

The new right to complain

At this point in the dispute, we expect complaints to be made, not least because the ICO guidance expects organisations to reference the right to complain back to the organisation in the DSAR response letter.

What has changed

Section 103 of the Data (Use and Access) Act 2025 inserts a new Section 164A into the Data Protection Act 2018, creating an express statutory right for data subjects to complain directly to the data controller if they consider that, in connection with personal data relating to them, there is an infringement of the UK GDPR or Part 3 of the DPA 2018. This provision comes into force on 19 June 2026 and there are no exemptions - all data controllers are required to assess and respond to the complaint. 

Under this new regime, data subjects will be expected to raise their complaint with the controller first, before escalating it to the ICO. This represents a fundamental change to the UK's complaint-handling landscape, creating an intermediate step between data subjects and potential regulatory intervention.

Statutory obligations on controllers

So what are a controller’s statutory obligations?

  • Facilitating complaints. Controllers must facilitate the making of complaints by providing an electronic complaint form and at least one alternative route (such as email, post, telephone, online portal, live chat or in person). Controllers must accept data protection complaints however they are received, including via social media or to any member of staff, even if the individual does not use the designated complaints channel.
  • Acknowledgement within 30 days. Controllers must acknowledge receipt of a data protection complaint within 30 days of receiving it. The 30-day period begins the day after receipt, regardless of whether that day falls on a weekend or bank holiday, and where the 30th day falls on a non-business day, the controller has until the next working day to issue the acknowledgement.
  • Investigation without undue delay. Controllers must, without undue delay, take appropriate steps to respond to the complaint, including making enquiries into the subject matter and keeping the complainant informed of progress. The ICO guidance clarifies that "without undue delay" means without unjustifiable or excessive delay, assessed by reference to the circumstances and the controller in question.
  • Communicating the outcome. Controllers must inform the complainant of the outcome without undue delay. Decisions must be communicated in plain, accessible language and the individual must be told of their right to escalate the matter to the ICO if dissatisfied.

ICO guidance

On 12 February 2026, the ICO published its How to deal with data protection complaints guidance, setting out what controllers must, should and could do to comply.

Lessons from the employment context

In practice, many data protection issues arise in everyday interactions such as HR queries, grievance processes, subject access requests or informal correspondence from employees. Under the new regime, organisations will need to be alert as to whether a particular communication amounts to a data protection complaint, a subject access request, or potentially both. If the employer is not sure whether someone is making a data protection complaint, the ICO guidance states that the employer should ask them to clarify. Where common issues emerge, employers should deploy lessons learned into their playbook or process.

Handling complaints: practical steps

Here are our practical steps to help ensure compliance:

  • Update privacy notices and DSAR response templates. These should now reference both the right to complain directly to the controller and the right to escalate to the ICO. The ICO expects this information to appear in privacy notices, in responses to DSARs and at the point of data collection.
  • Establish a formal written complaints process. This should cover receiving, acknowledging, investigating and communicating the outcome of data protection complaints, with clear internal ownership and escalation routes. Although the law does not expressly require a complaints handling policy, the ICO’s guidance places it as a “must do” obligation. It can be part of another complaints management process.
  • Train staff. Front-line, HR and operations teams should be trained to recognise data protection complaints - including those arising from DSAR responses - even when they are not labelled as such. Complaints can arrive through any channel, including social media, and to any member of staff.
  • Locate your previously created records. We referred above to record-keeping in relation to DSARs. These will be critical to review data protection complaints, so ensure that they are easily located and retrievable. 
  • Address each point of the complaint systematically. Cross-reference the original issue. Multiple rounds of complaints can be caused by not addressing all the points in one go. Consider using unique reference numbers on documents provided in the original DSAR response so there is a common reference system that both parties can use.
  • Be alert to AI-generated complaints. Verify every fact and authority cited. Take the complaint back to first principles - what does the UK GDPR actually require, not just what the data subject wants. Check that any facts or law cited in the complaint are correct and not an AI hallucination.
  • Know the ICO's enforcement posture. The ICO generally does not use its enforcement powers in relation to individual DSARs but prefers to provide guidance; it tends to leave the legal enforcement of individual rights to the courts. However, it does exercise its enforcement powers when there are systematic failings, such as absent policies and procedures, repeated complaints or large backlogs. The Court of Appeal in Delo v The Information Commissioner [2023] EWCA Civ 1141 confirmed that the ICO has broad supervisory discretion and is not obliged to reach a definitive decision on the merits of each DSAR complaint.
  • Anticipate escalation. The new right to complain to the data controller does not prevent the data subject from complaining to the ICO, and it can be expected that some data subjects will escalate to the ICO not only their substantive DSAR complaint but also any dissatisfaction with how the complaints process has been handled by the data controller. Data subjects may also enforce their right of access through the courts by applying for a court order requiring compliance or seeking compensation. We predict an uptick for more serious DSARs to be taken to court, given data subjects will likely be unsatisfied by the complaint process and/or ICO involvement.
  • DUAA introduces a new court review mechanism. Section 104 of DUAA (inserting Section 180A DPA 2018) provides a mechanism allowing material which is in the scope of a DSAR to be disclosed to the court (not all parties) for it to review the merits of whether it should be disclosed, redacted or withheld by the controller when responding to the DSAR, therefore the court could order specific disclosure having seen the actual materials.

Looking ahead

The introduction of the statutory right to complain, combined with the reforms under ERA 2025 and the proliferation of AI-assisted grievances and complaints, means that employers face a significantly more complex landscape. The number of issues raised is likely to increase, with multiple overlapping processes running concurrently - creating what might be described as a "boomerang effect" for employers.

The key to managing this effectively lies in preparation: establishing robust complaints processes, training staff, maintaining meticulous records and co-ordinating across employment and data protection teams. Employers who invest in these foundations now will be far better placed to withstand scrutiny from employees, the ICO and the courts alike. Our Data, Privacy & Cyber and Employment teams are ready to help with any employment issue, DSAR, complaint or any other rights request which may arise during employment proceedings.

Authors

JP Buckley

JP Buckley

Partner, Manchester
Leanne Francis

Leanne Francis

Legal Director, Manchester
Rosie Cryans

Rosie Cryans

Associate, Manchester