When another legal update lands, it’s easy to assume it means pages of new policies, expensive compliance projects and hours of training.
Thankfully, that’s not the case here.
The changes coming into force on 19 June are relatively straightforward. But they do highlight a gap we see in many organisations, particularly growing businesses.
The employers most exposed by these changes aren’t necessarily those doing anything wrong.
They’re the organisations where managers deal with issues differently, concerns are handled informally and nobody is quite sure who owns the process.
From 19 June 2026, individuals will have a formal right to complain directly to organisations about the way their personal data has been handled before taking their concerns to the Information Commissioner’s Office (ICO).
For many employers, the challenge won’t be understanding the law. It’ll be recognising when an everyday HR query has become a formal data protection complaint.
“We’re probably dealing with these already”
In our experience, most employers already receive these complaints. They just don’t describe them that way.
They sound more like this:
“Why has my manager been given information about my sickness absence?”
“I don’t understand why you’re still keeping notes from my interview.”
“I’ve asked for copies of my records and haven’t had a response.”
“Who has access to information about my disciplinary matter?”
“Why are those notes still being kept?”
From 19 June, employers need to be able to recognise these concerns and show they’ve been dealt with appropriately.
Isn’t GDPR something IT deals with?
Not usually.
Whilst cyber security and data breaches often sit with IT teams, employee data is handled every day by HR professionals and line managers.
Recruitment records, personnel files, absence information, occupational health reports, disciplinary documentation, references and payroll details all contain personal data.
It’s these day-to-day people management activities that are most likely to generate complaints.
Three questions every employer should be asking before 19 June
You don’t need to overhaul your entire GDPR framework.
You do need to know the answers to these questions:
1. Would we recognise a complaint if we received one?
Employees are unlikely to say:
“I wish to raise a formal data protection complaint.”
More often, they’ll simply question how information has been used or shared.
In a growing or mid-sized business, these complaints could go to supervisors, line managers or middle managers. These managers need to be able to spot concerns and know when to escalate them.
2. Do we know who owns the process?
If a complaint is raised:
- Who receives it?
- Who investigates it?
- Who responds?
- Who keeps a record of the outcome?
In smaller businesses, this may sit with the business owner, Office Manager or HR lead.
In larger organisations, responsibility may sit with HR, a Data Protection Officer or another nominated individual.
The important thing is that everyone knows who that person is.
3. Could we evidence what we’ve done?
If the ICO ever asked questions, could you demonstrate:
- When the complaint was received;
- What steps were taken to investigate;
- Who was involved;
- What conclusions were reached; and
- Whether any action was taken?
If the answer is yes, you’re already in a strong position.
A good opportunity for a quick health check
This change provides a useful excuse to review some of the areas that most often create difficulties.
Recruitment
- How long are unsuccessful candidate records retained?
- Are interview notes objective and still needed?
Absence management
- Who can access medical information?
- Are occupational health reports stored securely?
Employee relations
- Are disciplinary records retained in line with policy?
- Are managers keeping unofficial files or informal notes?
Monitoring
- Have employees been informed about monitoring arrangements?
- Is any monitoring proportionate and transparent?
Small improvements in these areas can prevent much bigger headaches later on.
What about employment references?
One question we’ve already been asked is whether these changes affect the way employers give references.
The answer is no, not directly.
The legal position remains the same. Employers are generally not required to provide a reference unless there’s a contractual or regulatory obligation to do so. Where a reference is provided, it must be truthful, accurate, fair and not misleading. References tend to be confidential between those giving it and those in receipt, but there is always a chance that it might get shared with the employee.
However, references may come under greater scrutiny.
Former employees may question:
- Why certain information was included
- Whether details of a disciplinary matter should have been disclosed
- Who authorised the reference?
- Whether sickness absence information was relevant, or
- Whether the records relied upon were accurate and should still have been retained.
These aren’t new risks.
What may change is the route people take to challenge them.
A concern that may previously have surfaced through a grievance, Subject Access Request or solicitor correspondence could now also become a formal data protection complaint.
A timely reminder to review your approach
If your organisation provides factual references only, confirming dates of employment and job title, make sure this is applied consistently.
If you provide more detailed references, consider:
- Who is authorised to provide them?
- What information can and cannot be included?
- Is the information supported by accurate records?
- Could you justify including it if challenged?
One of the biggest risks is often the informal reference, the well-meaning manager responding to an email with an off-the-cuff comment.
For that reason, many employers choose to route all references through HR or a nominated individual.
Don’t overcomplicate it
It is tempting to assume these changes mean lengthy new procedures and extensive training programmes.For most organisations, they don’t.
You don’t need a 20-page policy.
You don’t need expensive software.
You do need:
- A clear process for raising concerns;
- Someone responsible for dealing with them;
- Managers who know when to escalate issues; and
- A record of the action you’ve taken.
The bottom line
Employees haven’t suddenly been given a whole new set of rights. Those rights already existed.
What’s changing is the expectation that employers can demonstrate they’ve listened to concerns, investigated them properly and responded appropriately before matters escalate to the ICO.
For smaller employers, this is about putting some simple processes in place.
For larger and growing organisations, it’s an opportunity to sense-check whether managers are handling concerns consistently and whether there is clear ownership when issues arise.
Either way, this isn’t about creating unnecessary bureaucracy.
It’s about good people management, sensible processes and being able to show you’ve done the right thing.
If you’re not sure whether your current approach is fit for purpose, or you’d like some practical support reviewing your procedures ahead of 19 June, we’d be happy to help.
At Orchard Employment Law, we provide straightforward, pragmatic advice that helps employers navigate change with confidence.