Employment & Pensions Blog: What the Data (Use and Access) Act 2025 Means for Employers and HR Professionals

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent over the summer and marks a significant step in the evolution of the UK’s data protection framework. The DUAA introduces a range of important updates that data controllers will need to take note of when complying with their data protection obligations. These changes will be implemented gradually, with several key provisions coming into force in December 2025 that are particularly relevant to employers and HR professionals.

New Complaints Procedure 

Arguably the most significant change from the DUAA is a statutory requirement for employers to implement a formal complaint-handling process that individuals can use if they consider their data protection rights have been breached in any way. Employers will be required to:

• Have a clear and accessible complaints procedure in place, with a complaint form that can be accessed and completed electronically (as well as by other means).
• Acknowledge receipt of the complaint within 30 calendar days.
• Take appropriate steps to investigate the complaint and respond to it “without undue delay”.
• Update their data protection policies and privacy notices to explain the complaints procedure and provide clear instructions on how employees can exercise that right and what they can expect during the complaints process. 

Through the grievance procedure, employees have always had a mechanism to complain to their employer if they felt their data protection rights had been breached. However, this new complaint procedure extends beyond just employees and gives workers, contractors, agency workers, and customers the power to make complaints regarding their data protection rights.

On the one hand, the requirement to respond to the complaint “without undue delay” is positive because it gives employers flexibility, rather than having a ridged deadline of having to respond within X months (as is the case with data subject access requests). On the other hand, employers and individuals will inevitably have different perspectives of what ‘undue delay’ means in practice, increasing the risk of future disagreements on the issue.

To avoid disagreements, some employers might opt to manage expectations by setting out an anticipated response time in their policy/privacy notice. For those that do, to avoid the pitfalls that come with a rigid deadline, employers will want to allow themselves a generous (but reasonable) amount of time to respond. 

Whilst this would require further legislation and is therefore not due to come into force yet, the DUAA also allows the Government to legislate further to require businesses to notify the Information Commissioner’s Office of how many complaints they have received in a given time period and their outcomes. 

Data Subject Access Requests

Employers and HR Professionals are accustomed to receiving data subject access requests (DSARs), which is a formal request from an individual for copies of their personal data. Often made by employees as part of a formal management process where someone is fishing for evidence, or to see what their colleagues are saying about them. 

One of the difficulties businesses struggled with was how far they had to go in searching for an individual’s personal data. Were they required to check every physical and electronic file, every email inbox etc. This was finally clarified by the courts who confirmed that data controllers were required to carry out a ‘reasonable and proportionate’ search for the data; and this was later added to the Information Commissioner’s guidance. The DUAA codifies this ‘reasonable and proportionate’ search principle into law, leaving no doubt that businesses are not required to carry out exhaustive and disproportionate searches.

Likewise, the DUAA codifies the ‘stop the clock’ principle into law allowing employees to pause the DSAR response time if they need the individual to clarify or refine their request (or to provide more information). For HR teams, this creates an opportunity to better manage complex or ambiguous DSARS requests – for example, where an employee asks for “all emails about me.” 

Comment

A mandatory complaints’ procedure, and an obligation to investigate those complaints, will create an administrative burden for employers. Fairly obviously, the larger the workforce (and the more customers they have), the bigger the burden will be. 

With only a few short weeks to go before this obligation is due to come into force in December 2025, businesses should start by amending their data protection policies and privacy notices to formally set out the complaints procedure. Managers and key personnel may also need more specialised data protection training so they can understand the issues and investigate any complaints received.   

Separately, the DUAA doesn’t revolutionise DSARs. It codifies existing best practices, and it therefore provides employers with a clearer legal footing when handling and responding to complex requests. 

If employers or individuals require assistance with any data protection issues in the workplace, including on responding to DSARs, please contact a member of our Employment Team.