DATA PROTECTION: THE NEW RIGHT TO COMPLAIN

It seems the ICO has had enough. The Data (Use and Access) Act 2025 not only abolishes the ICO in favour of the new Information Commission, but has also brought in a new right for data subjects to complain directly to a data controller – rather than to the regulator itself. While not yet live, under the Act, controllers must acknowledge a complaint within 30 days, and respond “without undue delay” setting out the action that they have taken. This is a shift in the responsibility to manage initial complaints, moving the complainers off the IC’s desk and back onto controllers.

“What has been helpful is that the Act has confirmed that employers only need to carry out “reasonable and proportionate” searches when someone asks for access to personal data…”

HR professionals everywhere know the feeling of managing a tricky subject access request, and so this new right will be fairly disheartening. We had also hoped the Act would bring in a lower bar for “vexatious” and “excessive” requests so that employers could refuse to respond, but this did not make it into the final Act. What has been helpful, however, is that the Act has confirmed that employers only need to carry out “reasonable and proportionate” searches when someone asks for access to personal data – something that will be welcome news to anyone who has managed an unwieldy contentious employee request lately. 

So what should employers be thinking about following the Act? Before this goes live (which can be anytime in the next 2 – 12 months, according to the ICO), consider where this right to complain will sit internally, and who will be responsible for complying. Once it comes in, Privacy Notices will need to be updated to reflect the new right. Otherwise for now, sit tight and keep an eye out - there will be plenty of new guidance to follow.