On 23 June 2026, a new legal duty landed on every organisation in the UK that handles personal data. If you employ people, that means you.
The rule itself is short.
You have to give people a clear way to raise a data protection complaint, acknowledge it within 30 days, investigate it properly, and then tell them what you found.
The hard part isn’t understanding the rule; it’s having a process that actually delivers on it every time.
Most businesses don’t think it applies to them
If you are reading this, thinking it doesn’t apply to you are not alone. In fact, ICO research found that of the businesses that had even heard of the Data (Use and Access) Act, more than 2 in 3 either didn’t know the change affected them or assumed it didn’t. The law now in force is part of that Act, and the full set of provisions reached their 12-month commencement on 19 June.
So a lot of employers are now carrying a legal obligation they don’t know they have. The ICO has been clear that the focus is on helping organisations build good practice rather than catching anyone out, but the duty applies whether you’ve prepared for it or not.
Emily Keaney, Deputy Commissioner for Regulatory Policy at the ICO, framed it well. She described it as good data protection becoming “business as usual”, and tied a clear complaints process directly to trust and good customer relationships rather than box-ticking.
Payroll sits right in the middle of this
Think about the personal data involved in running a payroll – salaries, bank details, National Insurance numbers, tax codes, pension contributions, addresses, sometimes health and absence information. It’s some of the most sensitive data an employer holds, and your people care deeply about it being right.
That’s also where complaints come from. An employee querying a deduction. A leaver asking for a copy of their pay records. Someone who spots an error in how their details are recorded. Under the new duty, every one of those needs a defined route in, a response within 30 days, a proper look, and a clear answer.
If you run payroll in-house, that process now has to exist and work. If Ascend runs it for you, it already does.
This is exactly what our Quality Framework was built for
We didn’t bolt a complaints process this month because the law changed. Handling data subject requests, errors, and concerns to a fixed standard has been part of how we operate from day one. That’s the whole point of our Quality Framework.
It’s also why that Framework has been shortlisted for Project of the Year, Service Providers, at the 2026 CIPP Annual Excellence Awards, the longest-running independent awards in the industry. We’re named alongside firms like PwC and Zellis, judged by an independent panel on the strength of how we actually run the service rather than how we describe it. That Framework pulls together four independent standards: ISO 9001 for quality management, ISO 27001 for information security, ISO 27701 for privacy, and CIPP PAS, the payroll industry’s own assurance scheme. All four shape how we work. Two of them do the heavy lifting on this particular change.
ISO 27001 is the international standard for information security management. It governs how we protect the data we hold, who can access it, how we spot and contain problems, and how we keep that discipline consistent rather than relying on individuals remembering to do the right thing. The security half of data protection lives here.
ISO 27701 is the privacy extension that sits on top of it. It covers how we handle personal data as a privacy management system, including data subject rights and the way requests and complaints are logged, owned, and resolved. The process the new law now requires of every organisation is, in plain terms, a process we’re independently audited against.
So when a complaint or a request reaches us, it doesn’t depend on someone having a good day. It follows a route that’s documented, timed, and reviewed. It is acknowledged quickly, investigated by the right person, answered clearly, and recorded so we can see patterns and fix the root cause.
What you should do next
If you handle any part of your data protection in-house, take the ICO at its word and review your complaints process now while the regulator is in support mode. The guidance gives practical examples built on the kinds of issues businesses see most often, including subject access requests and inaccuracies in personal data, so it’s a sensible place to start.
If Ascend handles your payroll, there’s nothing for you to build. The complaints handling the law now demands are already running inside the service you’re paying for, backed by ISO 27001 and ISO 27701 and the Quality Framework that ties them together. If you’d like a short summary of how we manage data subject requests on your behalf, we’re happy to walk you through it.
Good data protection, making people trust you more, not less, has always been the goal. The law just caught up with how we already work.
Thinking about moving your payroll to a partner that treats data protection as a feature rather than an afterthought? Get in touch, and we’ll show you what our Quality Framework means in practice.
