From 19 June 2026, the Data (Use and Access) Act 2025 (DUAA) created a statutory right for individuals to lodge data protection complaints directly with the organisation that holds their data - not only with the ICO. If you process personal data about customers, employees, or prospects (and virtually every UK business does), you now need a documented complaints-handling process or you are already non-compliant.
What changed on 19 June 2026?
Section 164A of the Data Protection Act 2018, inserted by the DUAA, formally requires controllers to:
- Accept complaints regardless of channel - email, phone, letter, or social media all count
- Acknowledge each complaint within 30 days of receipt, per ICO guidance (CMS Law, June 2026)
- Investigate proportionately and communicate an outcome without undue delay
- Maintain records of every complaint, including receipt date, steps taken, and resolution
If you have a GDPR complaints email address but no written process behind it, that is not enough.
What fines are now at stake?
The DUAA also brought PECR enforcement to UK GDPR levels. Cookie and email-marketing violations can now carry fines of up to £17.5 million or 4% of global annual turnover - up from the previous £500,000 ceiling. This matters if you send marketing emails or use tracking cookies without a compliant consent mechanism.
What a compliant SME complaint process looks like
You do not need a legal team or a compliance department. You need three things:
| Element | What it means in practice |
|---|---|
| Written policy | A short document naming who handles complaints, escalation routes, and timeframes - even a single page works |
| Acknowledgement template | A standard response sent within 30 days of any data complaint arriving |
| Outcome record | A simple log showing what happened, when, and how it was resolved |
Most SMEs can produce this in half a day using a word processor and a shared spreadsheet or task tool.
Update your privacy notice too
The ICO expects your privacy notice to explain that individuals can complain to you directly - not only to the ICO. If your notice still says "you can complain to the ICO" and nothing else, update it to include your own complaints route and contact details.
Where an AI agent helps
Compliance becomes operational rather than theoretical when an agent handles the admin:
- An email-triage agent spots incoming data complaints and logs them automatically
- An acknowledgement email goes out within minutes - well inside the 30-day window
- The case is routed to the right person with a deadline in their task list
- Overdue responses are flagged before they become a regulatory issue
This is one of the lower-cost automation wins: a simple email-to-tracker workflow, configured once, that keeps you provably compliant without anyone having to remember the process.
Does this apply to sole traders?
Yes. The rules apply to any UK controller under UK GDPR. There is no employee count or turnover threshold. A sole trader who holds a client email list is a controller and must have a complaints process in place.
Frequently asked questions
What did the Data (Use and Access) Act 2025 change about complaints from 19 June 2026?
Section 164A of the Data Protection Act 2018 now gives individuals a statutory right to complain directly to any organisation that holds their data. Controllers must acknowledge complaints within 30 days, investigate proportionately, and record every step of the process.
Do small businesses with fewer than 50 employees need to comply with the new DUAA complaint rules?
Yes. There is no minimum employee count or revenue threshold. Any UK business that processes personal data about customers, employees, or prospects is a controller under UK GDPR and must have a compliant data complaints-handling process in place.
How much have PECR fines increased under the Data (Use and Access) Act 2025?
Maximum PECR fines rose from £500,000 to the greater of £17.5 million or 4% of global annual turnover - matching UK GDPR enforcement levels. This covers cookie consent failures and unlawful direct marketing, not just data breaches.
What should a UK SME's data complaint process include?
A written policy naming who handles complaints and in what timeframe, a standard acknowledgement sent within 30 days, an investigation route, and a record of each complaint's outcome. Your privacy notice should also be updated to explain that individuals can complain to you directly.
James Paulinson LinkedIn
Co-Founder, SMEAutomate
James Paulinson is the co-founder of SMEAutomate. With two decades across advertising, technology, and consulting, he focuses on helping boutique businesses and founders scale with AI-powered workflow automation.
Related articles
Get automation insights in your inbox
Practical tips for UK SMEs. 1–2 per month. No spam, unsubscribe any time.
