How the Data (Use and Access) Act 2024 changes data protection complaints for UK employers, and what office managers must do to map systems, triage concerns and work with vendors.
The 30-day complaint clock that started on 19 June: what the DUAA data protection changes ask of every UK employer

The new right to complain and why office managers are suddenly in scope

Since 19 June a new statutory right allows any data subject to raise a data protection complaint directly with a data controller, and that includes every UK employer. Under the Data (Use and Access) Act 2024 (DUAA), which received Royal Assent on 20 May 2024 and began to take effect from June 2024, organisations must operate a transparent complaints route for data protection issues and respond to each complaint “without undue delay”. The DUAA framework sits alongside the existing right under UK GDPR Article 77 to complain to the ICO, but it adds a domestic mechanism for individuals to complain first to the controller. For office and workplace teams this is not abstract law, because your building systems hold personal data about employees, visitors and contractors that can trigger privacy complaints long before HR or Legal notice anything.

The Information Commissioner’s Office, usually referred to as the ICO, has warned in its UK data protection guidance for organisations (updated 2024) that smaller employers are least likely to have structured complaints handling in place, even though these businesses often run complex data access tools such as visitor kiosks, badge systems and desk booking platforms. The ICO’s “Handling data protection complaints” guidance explains that organisations should “acknowledge receipt of the complaint promptly” and “aim to respond within one calendar month”, mirroring the UK GDPR time limit for data subject rights. A casual phrase from individuals such as “I do not think you should use my information that way” can therefore amount to a formal data protection complaint under the DUAA complaints route, which means you must treat it as a regulated privacy concern and follow a defined internal procedure. That shift matters for office managers because people usually raise data worries first about CCTV, visitor logs or subject access to building entry records, not about payroll or core employment systems.

Every office manager in a UK company now sits on the front line of data protection, even if your job title still says facilities or workplace. You already coordinate privacy notices for visitors, manage subject access to sign-in books and oversee the handling of CCTV footage, so you are effectively a data protection complaints triage point for multiple data subjects. Instead of thinking about “data protection complaint employer UK 2026” as a distant compliance slogan, treat your office operations as part of the employer’s formal DUAA complaints framework, where day-to-day workplace systems can generate both individual complaint risks and systemic compliance gaps. In practice this means aligning your reception and access processes with the DUAA text on complaints and the ICO’s complaints-handling guidance, so that anyone who questions how you use their information is routed into a documented, time-bound process rather than dealt with informally and forgotten.

What the 30-day clock really requires from your office operations

The DUAA data protection changes sit alongside existing UK GDPR and employment law, but they add a very specific operational duty for employers to handle complaints in a timely, accountable way. The Act’s commencement provisions bring into force a right for individuals to complain to the controller and require the controller to consider and respond, while UK GDPR Article 12(3) continues to require that controllers respond to data subject requests “without undue delay and in any event within one month”. Many organisations therefore adopt a 30-day internal target for both acknowledging and providing a substantive response to complaints, to keep DUAA complaints handling aligned with UK GDPR time limits. That one-month complaints-handling window applies whether individuals raise concerns about visitor data, access badge logs, desk booking records or other personal data that your office function controls, and it applies to both single complaint cases and multiple complaints from different data subjects.

ICO guidance on handling data protection complaints, read together with its UK GDPR accountability resources, stresses that organisations should not only acknowledge complaints promptly but also investigate without undue delay, document the complaints-handling steps and keep the complainant informed about the process and outcome. For office managers this means you need a mapped complaints procedure that covers every data access touchpoint in the building, from CCTV and visitor management to lockers and meeting room sensors. You should be able to show how you will route a privacy complaint about subject rights to HR or Legal, how you will log the subject access request, and how you will ensure that no personal data is deleted or altered while the protection complaint is open. This is where employment law and protection law intersect, because a data protection complaint about desk booking data or swipe card logs can quickly escalate into an employment dispute if the complaints-handling record is incomplete, late or inconsistent with your disciplinary processes.

Procurement choices now matter as much as policies, because your visitor and access vendors must support compliant complaints handling and data subject workflows. When you review supplier contracts under the new Procurement Act, use guidance on office supplier panels to ensure SLAs cover privacy notices, subject access exports and the ability to pause automated deletion during a complaint. As you negotiate, build a short SLA checklist for visitor and access vendors that covers: named contacts for DUAA complaints, maximum response times for data exports, confirmation that audit logs can be preserved for at least 30 days, support for subject access requests, clear retention settings, and a process to suspend routine deletion when a complaint is open. A sample SLA clause might read: “The Supplier shall, upon written notice of a data protection complaint or subject access request, provide the Customer with all relevant personal data and audit logs within ten working days and suspend any routine deletion of that data for the duration of the complaint, up to a maximum of 90 days, unless otherwise required by law.” This emerging landscape of data protection complaints for UK employers rewards organisations that treat office systems as regulated data infrastructure, not just convenience tools, and that means you personally own part of the protection complaints risk register.

A practical playbook for office managers: mapping, triage and documentation

The first practical step is to map every place where your office collects or uses personal data, because you cannot manage data protection complaints if you do not know where the data sits. List visitor management systems, access control, desk booking, room booking, CCTV, parcel tracking and any workplace apps, then record what personal data each system holds, how long you retain it and which team owns the complaints-handling process. That map will let you respond when individuals raise a privacy complaint about a specific subject, such as visitor logs or CCTV images, and it will help you avoid undue delay when a data subject asks for subject access to those records. Turn this into a one-page checklist headed “Office data protection complaints map” so that anyone covering reception or facilities can see at a glance which system to check and who to notify.

Next, design a simple triage script so reception, security and your own team know when a casual comment about data becomes a formal protection complaint that triggers the one-month clock. A basic triage script might say: “Thank you for telling me about your concern. To make sure we handle this properly under our data protection complaints procedure, I will record what you have said and pass it to our data protection contact today. They may contact you for more information and will aim to respond within one month.” Train staff that any statement about how employers are handling information, or any request to raise data concerns about privacy notices or subject rights, must be logged as a complaint and passed to the named owner of the complaints process. Make sure your complaints acknowledgement template explains what will happen next, references relevant ICO guidance in plain language and sets expectations about investigation timelines and possible outcomes for both single complaints and repeated complaints. A basic one-month acknowledgement template might read: “Thank you for raising your data protection concern on [date]. We have logged your complaint under our DUAA and UK GDPR complaints procedure and will investigate without undue delay. We will not delete or alter any relevant personal data while your complaint is open, and we aim to provide you with a substantive response within one month. If you remain dissatisfied after our response, you may have the right to raise your concern with the Information Commissioner’s Office.”

Finally, treat documentation as your shield, not as bureaucracy, because a clear record of each data protection complaint will protect you if the ICO later reviews your organisation. Keep a simple register that records the date individuals raise concerns, the systems involved, the steps taken, the data access provided, and whether the data subject accepted the outcome or escalated to the ICO, and keep that register aligned with your privacy notices and employment policies. As you refine your approach, use specialist workplace resources on knowledge base software news to embed this playbook into your internal guidance, and offer the complaints map, triage script and acknowledgement wording as a downloadable template on your intranet. That way, modern data protection complaints for UK employers describe a mature, well-governed process rather than a scramble every time someone questions how you use their data.

Sources

Fladgate – AI round up, July (Data (Use and Access) Act 2024 analysis and commencement dates)

Foot Anstey – Key employment law updates, June (DUAA and complaints handling duties for employers)

Information Commissioner’s Office – UK data protection guidance for organisations and complaints handling (ICO guidance pages, accessed 2024, including “Handling data protection complaints” and “Individual rights requests”)

Published on