Home / DSARs and the new statutory right to complain – what does this mean for employers?

DSARs and the new statutory right to complain – what does this mean for employers?

24th June 2026

Over recent years there has been a rapidly rising trend in employees submitting data subject access requests (DSARs) to access their personal data held by their employer. This is a common tactic for employees engaged in litigation (or considering litigation) or in settlement discussions to try to improve their negotiating position, either by causing a nuisance or in an attempt to get their hands on the perceived “smoking gun” to support their claims.

From 19 June 2026, individuals gained a new statutory right to complain directly to a data controller, for example their employer, about their data protection rights.

What is a data protection complaint?

A data protection complaint arises when an individual believes an organisation has mishandled their personal data request. The most common type of complaints we see relate to an employer’s handling of a DSAR, for example the time it took for an employer to respond to the request or an employer’s approach to redacting information.

Employees can now raise a complaint via any channel, and they do not need to use legal terminology or even call it a ‘complaint’. If an employer is unsure whether an employee is making a data protection complaint, then they should ask them for clarification.

What do employers need to do?

These reforms require employers to now:

Provide an accessible way for employees to submit a data protection complaint;
Acknowledge complaints within 30 days of receipt;
Take “appropriate steps” to investigate complaints without undue delay;
Keep those who have made a complaint informed about the progress and outcome of complaints without undue delay; and
Maintain appropriate records relating to complaints and their resolution.

Employers are also required to inform employees about their right to complain:

At the time their data is collected, such as in its privacy notice; and
When responding to a DSAR, or other data protection request.

What are the consequences for employers for getting it wrong?

Employees can still complain directly to the Information Commissioner’s Office (ICO). However, the new right has been introduced to ease the ICO’s workload and to encourage individuals to complain directly to a data controller itself.

Currently, the ICO is advising that it can take up to 40 weeks following a complaint to them for the case to be assigned to a case officer. Some complaints are then taking more than 6 months on assignment to be resolved. The new right to complain directly to a controller almost inevitably means that employers will see an increase in the number of data protection complaints they receive.

If an employer does not handle a complaint correctly, they risk breaching UK data protection law and being subject to a range of penalties. This can include fines from the ICO of up to £8.7 million or 2% of total global turnover (whichever is higher) and compensation being awarded to an employee by a civil court.

If you require assistance with updating your privacy notice or other data protection policies, implementing a complaints procedure or require advice upon receipt of a data protection complaint from an employee, please contact the Kuits employment team on 0161 832 3434 or [email protected].

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	This cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-analytics	1 year	This cookie is used to record your preferences for cookies in the "Analytics" category .
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-functional	1 year	The cookie records your preferences for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-necessary	1 year	This records your cookie preferences.
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
cookielawinfo-checkbox-performance	1 year	This cookie is used to store your consent for cookies in the category "Functional".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	1 year	This cookie stores whether or not you have consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
MoneyPennyAgentAvatar	session	This cookie stores the agent image URL in order to show the agent avatar on the minimize state of our live chat function. If you disable this cookie, our live chat functionality may not be available to you
MoneypennyHistory	1 year	This cookie is used to keep track of the your visits to our website and last live chats. It displays the previous five live chat transcripts to the agent in the live chat to allow faster understanding of your conversation context, and faster resolutions.
MoneypennyHistory	1 year	This cookie is used to keep track of the your previous visits to our website and last live chats on our website. The cookie allows the chat transcripts from your five previous live chats to be displayed to your live chat agent in the chat to allow faster understanding of your needs and faster resolutions.
MoneypennyRef	2 hours	This cookie records origin and site entry to display the referring URL to the live chat agent so they can gain insight into your journey to our website. It helps our live chat agents deliver a better experience by giving them context. If you choose to disable this cookie, live chat will still be available.
MoneypennyUserAlias	1 year	This cookie stores the visitor alias (name) on use of the setUserName() Javascript API. This cookie is used to support subsequent live chats so that, once it is known, the live chat agent doesn’t need to collect the information again. This alias also will get displayed on the chat-box (as the visitor’s name), prechat form (as the value of the ‘name’ field, if it exists), and offline form (as the value of the ‘name’ field, if it exists).
MoneypennyVisit	session	This cookie is used to keep track of the your visits to our website and tells your live chat agent how many times you have visited our website. It is also used for the ‘returning visitor’ proactive chat rule, enabling returning visitors to be greeted differently. Failure to accept this cookie may impact performance of our live chat function.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether you use the new or old player interface.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-37750570-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow us to track your behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, this cookie stores information on how you use our website and also creates an analytics report of the website's performance. Some of the data that is collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	16 years 3 months 1 day 13 hours 11 minutes	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
yt.innertube::nextId	Persistent	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	Persistent	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements to you when either on Facebook or on a digital platform powered by Facebook advertising, after visiting our website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to you by tracking your behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how you use our website to present you with relevant ads according to your user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if your browser supports cookies.
YSC	session	YSC cookie is set by Youtube and is used to track your views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

DSARs and the new statutory right to complain – what does this mean for employers?

What is a data protection complaint?

What do employers need to do?

What are the consequences for employers for getting it wrong?

Sign up to our Newsletter