The Data (Use and Access) Act 2025 introduces a mandatory data protection complaints process that every UK organization must implement by June 19, 2026—regardless of size, sector, or resources. If you collect a customer email address, run a mailing list, or process any personal data, you're in scope. There are no exemptions.
The Information Commissioner's Office (ICO) announced May 19 that UK businesses have one month remaining to put statutory complaint-handling processes in place. For Britain's 5.7 million SMEs, this isn't a soft launch—it's a legal requirement backed by the ICO's enforcement powers, including fines up to £17.5 million or 4% of global annual turnover.
What Does the New Data Complaint Law Require?
Data protection complaint handling process flowchart
Starting June 19, 2026, controllers must:
- Provide a clear route for individuals to raise data protection complaints (email, form, phone, or post)
- Acknowledge complaints within 30 days of receipt
- Investigate without undue delay, keeping complainants informed of progress
- Communicate the outcome and inform individuals of their right to escalate to the ICO
Crucially, complaints can arrive through any channel—social media DMs, a reply to a marketing email, or a conversation with a customer service agent. You must accept complaints however they're submitted, even if you've published a formal process. This isn't like a subject access request you can route to a dedicated inbox and forget. Every employee who touches customer communication needs to recognize a complaint when they see one.
Why Is the ICO Doing This Now?
The regulator is drowning. The ICO received 42,315 complaints in 2024/25, up from 33,753 in 2022/23—a 25% increase in two years. Many involve issues that could have been resolved directly with the business. The new law shifts first-line resolution back to controllers, a "controller-first" approach similar to the UK Online Safety Act's complaint handling model.
ICO Deputy Commissioner Emily Keaney's tone is measured but firm: "We are not here to catch businesses out, we are here to help you get ready. With 19 June fast approaching, now is the time." Once the deadline passes, "the ICO will have the power to take enforcement action against organisations that fail to operate a compliant process"—and the line between supportive regulator and active enforcer moves quickly.
How Do I Get Compliant Before June 19?
You don't need enterprise software. You need a documented process and trained staff. Here's the minimum:
Designate an owner. Pick someone with authority to investigate and respond—often your data protection officer or a senior operations lead.
Create a visible intake route. Add a dedicated email (e.g.,
privacy@yourcompany.com) or a form to your website. Link it prominently in your privacy notice.Set up 30-day acknowledgment tracking. The clock starts the day after you receive a complaint, including weekends. If day 30 falls on a holiday, you get until the next working day. Use calendar reminders or a simple spreadsheet.
Train your team. Customer-facing staff must recognize complaints. Example phrases: "You didn't handle my data properly," "I'm worried about how you're using my information," or "You ignored my deletion request." These all trigger the process.
Update your privacy notice. Add language like: "If you believe we've mishandled your data, you can complain to us at [contact details]. We'll acknowledge your complaint within 30 days and keep you informed. You also have the right to complain to the ICO."
Log everything. The ICO may request complaint records, and high complaint volumes may trigger regulatory scrutiny. Track dates received, acknowledgment sent, investigation steps, and outcome.
If you already have a general complaints process, you can adapt it—just ensure it covers data protection issues and meets the statutory timelines. Want a quick compliance check? Scan your site free to identify gaps in your privacy setup.
What Happens If I Miss the Deadline?
Enforcement risk is real but proportionate. The ICO won't issue a £17 million fine because you forgot to update your privacy notice. But if a customer complains on June 20, can't figure out how to reach you, and escalates to the ICO—and you have no process—you're in breach of a statutory obligation from day one. That creates "prima facie" evidence for a disgruntled individual negotiating a settlement.
The ICO uses a risk-based approach: it considers the nature of the breach, harm to individuals, your response, and whether you cooperated. A missing process combined with a slow, dismissive response to a legitimate complaint is exactly the pattern that attracts attention. Even a smaller fine or enforcement notice can be disruptive for SMEs, and reputational damage from ICO action often costs more than the penalty itself.
Does This Apply to SaaS Products and Developer Tools?
Yes. If your app, API, or platform processes user data—authentication logs, usage telemetry, email addresses—you're a data controller. Complaints might involve how you responded to a deletion request, what data you shared with a third-party analytics tool, or security measures after a breach. Developers using AI code generators or auto-installed SDKs may be collecting data they didn't explicitly code for—those users can complain, too.
The good news: you can integrate data protection complaints into your existing support ticket system. Tag complaints as "GDPR," route them to the right reviewer, and ensure acknowledgment goes out within 30 days. Many SMEs will find this easier than building a separate channel.
The Real Risk Isn't the Fine—It's the Pattern
The ICO is tracking complaint volumes per organization. If you repeatedly fail to handle complaints properly, or if complaints spike around a specific issue (e.g., dark patterns in consent banners, ignored deletion requests), the regulator may escalate from individual case handling to a broader investigation. "Complaint trends can indicate cultural or operational weaknesses," notes compliance consultancy VinciWorks.
This is the same dynamic driving enforcement trends across Europe under the General Data Protection Regulation (GDPR) and penalties in California under the California Consumer Privacy Act (CCPA). Regulators now have the data infrastructure to spot repeat offenders. One missed complaint is an oversight. Ten complaints in three months because your unsubscribe link is broken? That's a compliance failure waiting to be formalized.
June 19 is not a suggestion. It's a hard cutover to a complaints regime that every business in the UK must operate. The guidance is published, the clock is running, and the ICO has made it clear: this deadline is real.
Frequently Asked Questions
Do micro-businesses and sole traders need a complaint process?
Yes. The ICO guidance states there are no exemptions—if you process personal data as a controller, you need a process. Even a one-person consultancy with a mailing list is in scope.
What counts as a data protection complaint?
Any expression of dissatisfaction about how you've handled someone's personal data under UK GDPR or the Data Protection Act 2018. Examples: security concerns after a breach, refusal to delete data, ignoring a subject access request, or unclear consent practices.
Can I require people to use a specific complaints form?
No. You can provide a form as the easiest route, but individuals can complain via any method—email, phone, letter, social media, or in person. You must accept and process complaints however they arrive.
What happens if I acknowledge a complaint late?
Missing the 30-day acknowledgment deadline is a breach of the statutory requirement. If the individual escalates to the ICO, late acknowledgment weakens your position and may trigger enforcement action, especially if it's part of a pattern of poor handling.
Does the 30-day rule apply to resolving the complaint or just acknowledging it?
Acknowledgment only. You must acknowledge receipt within 30 days, but investigation and resolution must happen "without undue delay"—the ICO assesses this based on complexity, harm, and whether you kept the complainant informed.
Where can I find the official ICO guidance?
The final guidance is available at ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints. It includes worked examples, timelines, and practical steps tailored for smaller businesses.