New employee data protection right introduced into law

If an employee questions or complains about how you are using their personal data, businesses are now subject to a statutory requirement to do something about it under new data protection laws.

Coming into force as part of the Data (Use and Access) Act 2025, the obligations outline what businesses must do when responding to concerns and claims raised by employees and other individuals that they hold data for.

Megan Jefferies, Partner in our Intellectual Property team, and Natalie Ward, Partner in our Employment team, discuss what businesses and their HR teams need to know.

What’s changed?

While the option for an employee to take a concern about how their personal data is being handled straight to the Information Commissioner’s Office (ICO) remains open, organisations must now also be equipped to handle these concerns themselves, requiring a formal framework in place.

The new right applies broadly and is not just limited to employees, but also covers job applicants, contractors and others whose data you hold. Crucially, a person does not need to use legal language or formally describe their concern as a complaint, with an employee simply saying "I'm not sure you should be using my information in that way" potentially enough to trigger your obligations.

It is worth noting this is a distinct right in relation to raising complaints, not to be mistaken for the right to access, pursuant to which employees (or any other individuals in respect of whom you process their personal data) can still raise a Data Subject Access Request as previously.

What are you required to do?

Once a data protection concern is raised – however informally – you must:

• Provide a clear way for individuals to raise concerns with you – If you do not already have a process for this, you need one now.
• Acknowledge the complaint – This must be done within 30 days of receiving it.
• Take appropriate steps to investigate and respond – This has to happen without undue delay.
• Tell the individual the outcome – Make sure they know the result of your investigation, again without undue delay.

Failure to do any of this could itself amount to a breach of data protection law – not just a process failure, but a regulatory risk in its own right.

Why does this matter?

The change marks a genuine shift in responsibility with businesses no longer able to rely on the ICO as a default first port of call for data disputes. The expectation is now to have effective systems in place to receive, investigate and resolve concerns internally.

This means the process needs to be documented, managed and followed through – and those handling it need to understand what they are dealing with.

The ICO has published guidance setting out what it expects from organisations in meeting these requirements, which is worth reviewing alongside any internal review you carry out.

What should you do now?

For businesses that don’t already have a data protection complaint process, this is the moment to put one in place. Those that do should ensure it is fit for purpose.

• Appoint a named point of contact – Individuals need somewhere to direct concerns. Make sure there is a clear, accessible way to do this – whether through HR, a data protection officer, or another internal route.
• Document your process – You should be able to demonstrate how complaints are received, logged, investigated and resolved. This matters both for regulatory compliance and for defending your position if a concern escalates.
• Train your people – Anyone who might receive a concern – whether in HR, management or on the front line – should know what to do with it. An informal comment from an employee needs to be recognised and handled correctly, not ignored or dismissed.
• Update your privacy documentation – Your privacy notice and internal policies should reflect the existence of this new process and how individuals can use it.
• Act quickly – The 30-day acknowledgment window is firm. Late or absent acknowledgment could itself constitute a breach, so make sure complaints do not get lost in inboxes or fall between teams.

Handling data protection concerns promptly, efficiently and in accordance with legal obligations is not only a necessity, but also conducive to good employee relations. Employees who feel their concerns are taken seriously are less likely to escalate matters to regulators or the courts, or raise a grievance.

Getting your internal process right early on can make things more straightforward and cost effective, as well as reducing the risk of more serious disputes further down the line.

Whether you are creating a new process or updating an existing one, seeking legal advice at an early stage means you can act with confidence and avoid the regulatory and reputational risks that come with getting it wrong.

To find out more about how we can help, please contact our Intellectual Property and Employment teams.