As of 19 June 2026, data controllers – including employers – must have a data protection complaints process that meets the requirements set out in the Data (Use and Access) Act 2025 (DUAA 2025). In connection with this, the Information Commissioner’s Office (the ICO) has published guidance on dealing with data protection complaints. In this briefing, we summarise the key points from the guidance from the perspective of employers handling staff data protection complaints.
What are “data protection complaints”?
Where an employee considers that you have breached data protection law because of the way you have handled their personal data, they may raise a data protection complaint. This could cover things like:
- the way you have responded to a data subject access request (a DSAR);
- the security measures used to store their personal data; or
- how their personal data has been used.
However, where an employee is complaining about other matters, alongside exercising their data protection rights, this will not count as a “data protection complaint”. For example, an employee may raise a grievance about discriminatory treatment and submit a DSAR alongside it – the grievance is not a data protection complaint and nor is the DSAR (although if the DSAR is mishandled this could lead to a data protection complaint later on).
Employers also need to be mindful that grievances may contain a mix of complaints about both employment and data protection matters. Where this is the case, you will need to take care to deal with the data protection element in line with the DUAA 2025 and the ICO’s guidance. In particular, data protection complaints must be concluded without undue delay. For example, where the data protection complaint is bound up in a lengthy grievance about multiple employment matters, you may prefer to respond to everything in one go. However, if the data protection complaint could be resolved sooner, then you must do this.
The guidance also provides that where you are uncertain about whether an individual is raising a data protection complaint, you should ask them to clarify. Although this is not a strict legal requirement, the ICO says it expects data controllers to do this where needed, unless they have a good reason not to.
How should you prepare to handle data protection complaints?
In terms of preparation, these are several key parts of the guidance for employers to consider.
- Give staff a way to complain to you: the first step is to make sure there is a channel available for receiving data protection complaints. The guidance says that, for example, a form (electronic or paper), email address, phone line, online portal, live chat, or even an in-person option would all satisfy this obligation.
- Tell staff they can complain: you must inform staff that they can complain to you about data protection matters (and to the ICO). At the very least, this should be done at the point of collecting personal data (e.g. via a privacy notice using clear and plain language) and when responding to a DSAR.
- Consider a written complaints procedure: this is not a requirement, but the guidance says employers could adopt a written complaints procedure which makes it clear how to complain and what to expect. However, the guidance also underlines that employers do not need to reinvent the wheel: existing written procedures may be adapted to address data protection complaints. (e.g. a privacy notice or grievance procedure). Some employers may decide to keep things simple and deal with data protection complaints through existing grievance procedures, however, there are some potential downsides to doing this. For example, employee grievances tend to be dealt with by line managers, HR and, sometimes, in-house employment lawyers. Yet a data protection complaint may require specialist data protection input, for example, from a Data Protection Officer, information governance specialists and/or IT teams. The danger is that the complaint is treated purely as an employee relations issue and important data protection compliance considerations are missed. Therefore, you should consider the best approach and, where a single channel is chosen, take steps to ensure that data protection complaints are dealt with carefully and with input from appropriate stakeholders.
- Consider if there are other legal frameworks and obligations to comply with: as discussed above, data protection complaints will often overlap with other issues, such as employment or whistleblowing complaints. If you are handling the data protection element alongside other issues, you should not hold back resolution of the complaint so as to deal with everything in one go. If you are able to resolve the data protection complaint more quickly, then you must do so.
- Train relevant staff about data protection complaints: you will need to decide who handles these complaints. Crucially, staff who receive complaints should know how to spot a data protection complaint and where to escalate it. A data protection complaint could arise in a grievance, disciplinary concern, a flexible working request, or even in an ordinary email or message. Therefore, line managers and HR are likely to need data protection training.
What should you do when you receive a complaint?
Once a data protection complaint has been received, an employer should consider the following points.
- Acknowledge the complaint: you must acknowledge receipt of a data protection complaint within 30 days. The purpose of the acknowledgement is simply to confirm that the complaint has been received and will be investigated. The way the acknowledgement is given can reflect how the complaint was made, such as by email, letter, phone, or another method, provided it is appropriate in the circumstances. A record of the acknowledgement should also be kept to demonstrate compliance with the timeframe. The 30-day period begins the day after the complaint is received, and if the final day falls on a weekend or public holiday, the deadline moves to the next working day.
- Gather the information: the next step is tobegin gathering all relevant information needed to assess the complaint properly. This involves reviewing the facts carefully, speaking to relevant members of staff, and comparing what has been said in the complaint with your own records. You should also check whether you have complied with your own policies and procedures. If the complaint is unclear (which is a possibility where complaints have been generated using AI tools), you should seek clarification as soon as possible so that you can identify what needs to be investigated. It may also be helpful to ask the employee what outcome they are seeking, as this may allow the matter to be resolved more quickly.
- Investigate the complaint without undue delay: you must begin your investigation as soon as you receive the complaint. You should not wait for the 30-day acknowledgement window to lapse. The investigation must be carried out without “undue delay”, meaning there must be no unjustifiable or excessive postponement. However, there is no fixed timeframe for completing an investigation since what is reasonable will depend on the complexity of the issues raised, the scale of the complaint, and whether the complainant is experiencing harm that may be ongoing while the matter is unresolved. You must ensure that the level of investigation carried out is appropriate and proportionate to the circumstances and be prepared to justify the approach taken.
- Keep people informed: throughout the investigation, you must keep the employee informed of progress without undue delay. This may mean providing updates on the status of the investigation, expected timeframes, and any delays that arise, rather than detailing every investigative step taken. If the investigation is likely to take some time, you should ensure that the employee knows it is being dealt with, and it may be helpful to provide a point of contact for queries.
- Record your actions: you should keep a clear record of the entire process, including when the complaint was received, how and when it was acknowledged, any relevant discussions and documents, the outcome of the complaint, and any actions taken as a result. These records act as evidence that you have complied with your obligations and may be requested by the ICO. However, personal data related to complaints must not be retained for longer than is necessary.
What should you do when you have finished your investigation?
- Provide an outcome: once the investigation is complete, you must provide the employee with an outcome without unjustifiable or excessive delay. You should explain what you have done to resolve the complaint and any actions taken as a result. Importantly, you should provide enough information to allow the employee to understand how you have reached your conclusion. If the employee is unhappy with the outcome, the guidance suggests providing more details or offering a review process. The guidance also provides that it is good practice to tell the employee again at this stage that they have the right to complain to the ICO and provide their contact details.
- Review the lessons learned: once you have provided an outcome, you should review what happened and consider if there is anything you can learn or improve on to prevent future complaints.
What are the consequences of failing to respond to a complaint?
The potential consequences of failing to comply with the new data protection complaint requirements include:
- Monetary penalties: the ICO may impose a monetary penalty on controllers who fail to comply with the new complaint-handling obligations The maximum penalty is £17.5 million or 4% of total annual worldwide turnover, whichever is higher.
- Complainant escalation to the ICO: the complainant can escalate their complaint directly to the ICO, which must then investigate.
- ICO enforcement action: the ICO can issue information notices, assessment notices, enforcement notices, and conduct investigations into complaint-handling practices.
- Legal claims: individuals who suffer material or non-material damage (including distress) as a result of data protection breaches have the right to claim compensation from the data controller.
ICO Guidance: How to deal with data protection complaints
BDBF is a leading employment law firm based at Bank in the City of London. If you would like to discuss any issues relating to the content of this article, please contact Amanda Steadman (AmandaSteadman@bdbf.co.uk), Rose Lim (RoseLim@bdbf.co.uk) or your usual BDBF contact.

