Most UK businesses have never heard of this deadline. If that includes yours, you are not alone — but you do need to act before Thursday.
On 19 June 2026, a requirement introduced by the Data (Use and Access) Act 2025 comes into force. It makes it a legal obligation for all UK businesses that process personal data to have a formal complaints-handling process in place for data protection matters. Not a vague intention. Not a mental note. A written, documented procedure that you can demonstrate to regulators if asked.
The vast majority of UK SMEs are not ready.
What “formal complaints process” actually means
You do not need a legal department or a 30-page policy document. But you do need three things in writing:
- A written procedure — a simple document that sets out how your business receives, logs, and responds to data protection complaints from customers, employees, or anyone else whose data you hold.
- A named responsible person — someone in your organisation who owns data protection complaints. In a small business, this is often the owner or a senior manager. The point is that there is a clear answer to “who deals with this?” — not a shrug.
- Response timescales — you must acknowledge complaints promptly and resolve them within a defined period. The ICO’s expectation is that complaints are acknowledged within a few days and substantively addressed within one month, in line with existing UK GDPR Article 12 timescales.
That is the minimum. A short internal document, a named person, a timescale. If you have those three things written down and accessible, you are in significantly better shape than most.
What happens if you don’t
The Information Commissioner’s Office (ICO) can investigate and issue enforcement notices. Fines under UK GDPR can reach up to 4% of global annual turnover or £17.5 million, whichever is higher. For a small business, even the lower end of that range — or the legal and reputational cost of an investigation — is genuinely damaging.
Beyond fines, customers are increasingly data-aware. A business that cannot demonstrate it takes data complaints seriously is a harder sell. The reputational exposure is real even if an ICO investigation never materialises.
A four-step checklist to get compliant fast
If you have not got a formal process in place, here is what to do this week:
Step 1 — Appoint a responsible person. Decide today who handles data complaints. Write it down.
Step 2 — Draft a brief complaints procedure. One to two pages is fine. Cover how complaints are received (email, phone, in writing), how they are logged, who reviews them, and when the complainant will hear back.
Step 3 — Set up a simple log. A spreadsheet is acceptable. You need to record complaints received, when, what they relate to, and how they were resolved.
Step 4 — Tell your team. If you have staff, make sure they know who to pass data complaints to and that there is a process for handling them.
Done properly, this is a half-day task for most small businesses. The barrier is knowing it exists — which is why most businesses are behind.
How this affects different types of businesses
Sole traders and freelancers — if you hold client data (which you almost certainly do), this applies to you. A simple one-page document and a named person (you) is enough to start.
Retail and e-commerce — customer purchase data, email lists, and loyalty programmes all bring this requirement into scope. Your complaints process needs to cover data requests and complaints separately from your product complaints process.
Service businesses — agencies, consultants, trades — you hold client data, often employee data, and sometimes supplier data. The scope is broader than most owners assume.
Businesses using third-party software or AI tools — if your tools process personal data on your behalf (CRMs, email platforms, AI assistants), you remain the data controller. The complaints process obligation sits with you, not your software provider.
Tools that can help
Getting compliant does not have to mean expensive solicitors or days of work. There are practical resources built for businesses like yours.
Smallprint.Legal provides plain-English legal document templates, including data protection policies and complaints procedures, designed for UK SMEs. If you need a starting document quickly, it is a sensible first stop.
KeepSafe.Report offers ongoing data protection compliance monitoring — useful if you want to move beyond a one-off fix and keep your compliance posture up to date as regulations evolve. Think of it as a quiet background check on whether your data practices remain sound.
ApplyAI.org.uk covers AI tools that can help automate compliance tracking, including flagging when deadlines or regulatory changes require action. If your business is already using AI tools, it is worth understanding how they interact with your data protection obligations — and how AI can help you stay on top of them.
Act before Thursday
The deadline is 19 June. That is this Thursday. If you do not have a written complaints procedure in place, the priority right now is to draft something basic and get it documented — even a rough first version is better than nothing.
Start with Smallprint.Legal for a template, consider KeepSafe.Report if you want ongoing support, and take a look at ApplyAI.org.uk if you want to understand how AI can take the admin weight off compliance going forward.
Data protection is not going to become less important. Getting the basics right this week is the fastest way to protect your business — and your customers.