What it is?
From 19 June 2026, organisations will need to implement or update their data protection complaints procedure to align with the new Data (Use and Access) Act 2025 (DUAA) requirements. This marks a shift towards a more formalised, controller-led complaints-handling framework.
Who it applies to
The requirement applies to all UK organisations that act as data controllers, regardless of size or sector. There are no exemptions for SMEs, charities, or organisations that already have general complaints procedures in place. So yes — this hits virtually every small business.
What they actually have to do
Organisations are legally required to give people a way of raising data protection complaints, acknowledge each complaint within 30 days of receipt, take appropriate steps to respond without undue delay, and provide an outcome to complainants without undue delay.
Your 30-day acknowledgement point is correct, but worth noting that there is no deadline in the legislation for providing a full response — provided you are reasonable in terms of timescales and keep individuals up to date.
What counts as a complaint?
Examples of complaints that may fall within scope include: how an organisation has responded to a data subject rights request; the security measures an organisation has used to store personal data; and how an organisation is processing personal data.
Key practical points
The controller can decide on the primary complaint mechanism — it could be a complaint form, email address, phone number, online portal, or live chat. Organisations don’t need a new or separate tool; existing complaint tools can be adapted. Complaints must be accepted regardless of the channel through which they are received.
Importantly, people are not obliged to use a set process — they can complain however they want, including via social media or any employee. Staff need to be able to recognise a complaint and know what to do.
Privacy notices need updating too
At the point personal information is collected, people must be told they can raise a data protection complaint — meaning privacy notices will need to be updated.
There are no exemptions for small businesses, so this applies to you regardless of your size or sector.
If you’d like help reviewing your privacy notice or putting a simple process together, get in touch — it’s one of those things that’s much easier to sort now than to scramble for later. Contact [email protected]
