Data (Use and Access) Act 2025: What the New Rules Mean for Employers

Data (Use and Access) Act 2025: What the New Rules Mean for Employers

Employees today expect transparency about what their employer is doing with their personal information.  

On the 19th of June this year, s103 of the Data (Use and Access) Act 2025 (Act) came into effect requiring employers to have a compliant data protection complaints process in place by this date. This follows the implementation of other aspects of the act intended to build on the foundations of UK GDPR and the Data Protection Act 2018, with targeted changes designed to strengthen employee rights and tighten how organisations handle data complaints. 

A more structured complaints process

section 103 of the Act introduces clearer requirements around how organisations handle data protection complaints specifically, before an employee escalates things to the Information Commissioner’s Office (ICO).

Under the new framework, if an employee raises a concern about how their personal data has been handled, employers are expected to: 

  • Acknowledge and investigate the complaint promptly
  • Respond within one month
  • Explain clearly what happened, what action was taken, and, if none, why
  • Communicate proactively if more time is needed 

A well-handled complaint can stop a relatively minor concern from becoming an ICO referral, a tribunal claim, or a reputational risk.

Why this matters for employers

A business can process a vast amount of data on any given day; recruitment information, payroll records, sick/absence notes, performance reviews, disciplinary files – it adds up quickly, and employees expect it to be handled with care.

Most employers already have data protection policies in place relating to the handling of employee data, but with the ICO increasingly active in enforcing compliance, and employee awareness of data rights continuing to grow, it’s worth reviewing in light of the recent changes under the Act. 

Practical steps to take now

For many employers, reviewing what’s already in place and filling the gaps could be all the action needed.

  • Review your data protection and employee privacy policies to ensure they reflect current legislative requirements 
  • Introduce or update a formal, well-documented complaints process that’s consistently followed, and easy to access
  • Retrain your managers and HR teams so they know how to identify and handle a data complaint from the moment it’s raised
  • Keep clear records of every complaint received, investigated and responded to
  • Audit your data retention practices – are you holding onto personal information for longer than you need to?
  • Make sure employees know how to raise concerns, if they can’t navigate the process easily, it might as well not exist. 
Make data protection part of your culture

As HR systems, cloud platforms and AI-assisted tools become standard across most workplaces, employees are increasingly, and quite rightly, conscious of how their personal information is being used.

The organisations that handle this transparently (with clear policies, prompt responses and genuine accountability) are more likely to attract and retain the right people and avoid complaints to the ICO.

If you’d like support reviewing your data protection procedures, updating your policies, or simply making sure your processes are fit for purpose in relation to employee data our team is here to help.

Get in touch with Glaisyers ETL’s employment team today for clear, practical advice on staying compliant.