Back to Blog
Insights

Data (Use and Access) Act 2025: New Complaint Handling Rules UK SMEs Must Follow

From 19 June 2026 the Data (Use and Access) Act 2025 gives individuals the right to complain directly to your business. Here is what UK SMEs must do now.

James Paulinson3 min read
Share

From 19 June 2026, the Data (Use and Access) Act 2025 (DUAA) created a statutory right for individuals to lodge data protection complaints directly with the organisation that holds their data - not only with the ICO. If you process personal data about customers, employees, or prospects (and virtually every UK business does), you now need a documented complaints-handling process or you are already non-compliant.

What changed on 19 June 2026?

Section 164A of the Data Protection Act 2018, inserted by the DUAA, formally requires controllers to:

  1. Accept complaints regardless of channel - email, phone, letter, or social media all count
  2. Acknowledge each complaint within 30 days of receipt, per ICO guidance (CMS Law, June 2026)
  3. Investigate proportionately and communicate an outcome without undue delay
  4. Maintain records of every complaint, including receipt date, steps taken, and resolution

If you have a GDPR complaints email address but no written process behind it, that is not enough.

What fines are now at stake?

The DUAA also brought PECR enforcement to UK GDPR levels. Cookie and email-marketing violations can now carry fines of up to £17.5 million or 4% of global annual turnover - up from the previous £500,000 ceiling. This matters if you send marketing emails or use tracking cookies without a compliant consent mechanism.

What a compliant SME complaint process looks like

You do not need a legal team or a compliance department. You need three things:

Element What it means in practice
Written policy A short document naming who handles complaints, escalation routes, and timeframes - even a single page works
Acknowledgement template A standard response sent within 30 days of any data complaint arriving
Outcome record A simple log showing what happened, when, and how it was resolved

Most SMEs can produce this in half a day using a word processor and a shared spreadsheet or task tool.

Update your privacy notice too

The ICO expects your privacy notice to explain that individuals can complain to you directly - not only to the ICO. If your notice still says "you can complain to the ICO" and nothing else, update it to include your own complaints route and contact details.

Where an AI agent helps

Compliance becomes operational rather than theoretical when an agent handles the admin:

  • An email-triage agent spots incoming data complaints and logs them automatically
  • An acknowledgement email goes out within minutes - well inside the 30-day window
  • The case is routed to the right person with a deadline in their task list
  • Overdue responses are flagged before they become a regulatory issue

This is one of the lower-cost automation wins: a simple email-to-tracker workflow, configured once, that keeps you provably compliant without anyone having to remember the process.

Does this apply to sole traders?

Yes. The rules apply to any UK controller under UK GDPR. There is no employee count or turnover threshold. A sole trader who holds a client email list is a controller and must have a complaints process in place.

Frequently asked questions

What did the Data (Use and Access) Act 2025 change about complaints from 19 June 2026?

Section 164A of the Data Protection Act 2018 now gives individuals a statutory right to complain directly to any organisation that holds their data. Controllers must acknowledge complaints within 30 days, investigate proportionately, and record every step of the process.

Do small businesses with fewer than 50 employees need to comply with the new DUAA complaint rules?

Yes. There is no minimum employee count or revenue threshold. Any UK business that processes personal data about customers, employees, or prospects is a controller under UK GDPR and must have a compliant data complaints-handling process in place.

How much have PECR fines increased under the Data (Use and Access) Act 2025?

Maximum PECR fines rose from £500,000 to the greater of £17.5 million or 4% of global annual turnover - matching UK GDPR enforcement levels. This covers cookie consent failures and unlawful direct marketing, not just data breaches.

What should a UK SME's data complaint process include?

A written policy naming who handles complaints and in what timeframe, a standard acknowledgement sent within 30 days, an investigation route, and a record of each complaint's outcome. Your privacy notice should also be updated to explain that individuals can complain to you directly.

Found this useful?
Share
JP

James Paulinson LinkedIn

Co-Founder, SMEAutomate

James Paulinson is the co-founder of SMEAutomate. With two decades across advertising, technology, and consulting, he focuses on helping boutique businesses and founders scale with AI-powered workflow automation.

Get automation insights in your inbox

Practical tips for UK SMEs. 1–2 per month. No spam, unsubscribe any time.