Every UK business that processes personal data has until 19 June 2026 to set up a formal complaints procedure for data protection issues. That is less than three months away. If you do not have one in place by then, you are breaking the law.
This is not a recommendation. It is a statutory requirement introduced by Section 103 of the Data (Use and Access) Act 2025 (DUAA), which inserts a new Section 164A into the Data Protection Act 2018. The ICO published its guidance on this in February 2026, and the deadline is not going to move.
The new law says that every data controller must have a process for handling complaints about how they use personal data. This applies to every business, regardless of size. If you have customers, employees, or website visitors whose data you process, this applies to you.
The requirements are specific. Your complaints procedure must:
Before this law, there was no legal requirement to have a specific data protection complaints process. People could complain directly to the ICO without going through you first.
That changes on 19 June. Under the new regime, the ICO expects individuals to raise complaints with you before escalating to the regulator. This is significant for two reasons.
First, you are now the first line of response. If someone thinks you have mishandled their data, they come to you. If you do not have a process, you are already non-compliant before you even look at the substance of their complaint.
Second, the ICO will check whether you have a complaints procedure when assessing enforcement action. If someone escalates to the ICO and you did not have a process in place, that is an additional failure on top of whatever the original complaint was about. It makes a bad situation worse.
The business that gets caught out by this will not be the one that deliberately ignores GDPR. It will be the one that has a generic "complaints" page on their website that covers product quality and service issues but says nothing about data protection.
A customer emails asking what data the business holds on them. The email sits in a shared inbox for three weeks. No one is sure who should handle it. Eventually someone replies with a vague response. The customer, unsatisfied, complains to the ICO.
The ICO investigates and finds: no documented complaints procedure for data protection matters, no acknowledgement within 30 days, no clear process for investigating data-related complaints. The original issue might have been minor. The procedural failure is not.
You do not need to build anything complicated. The ICO has been clear that existing complaints processes can be adapted. Here is what a compliant setup looks like for a small business:
Step 1: Create a dedicated data protection complaints process. This can be a page on your website, a section in your privacy policy, or a standalone document. It needs to explain how someone can complain about data protection specifically (not just general service complaints), what information they should include, and what happens next.
Step 2: Set up the intake channels. At minimum, an email address (something like privacy@yourbusiness.com) and a postal address. An online form is better because it captures structured information. You do not need a phone line specifically for data complaints, but you do need a non-electronic option.
Step 3: Build the acknowledgement step. If complaints come in by email or form, set up an auto-reply that acknowledges receipt and sets expectations. Something like: "We have received your data protection complaint. We will investigate and respond within [timeframe]. If you are not satisfied with our response, you can escalate to the Information Commissioner's Office at ico.org.uk."
Step 4: Document your investigation process. Write down (even briefly) how you will handle a complaint when one arrives. Who reviews it? What do they check? How do they record the outcome? This does not need to be a 20-page policy. A one-page internal document is fine for a small business.
Step 5: Update your privacy notice. Add a section explaining how people can complain about data protection. Link to your complaints process. The ICO expects this to be clearly signposted.
Step 6: Train your team. Everyone who handles customer enquiries should know that data protection complaints exist, that there is a process, and where to route them. This can be a 10-minute briefing. It does not need to be a formal training programme.
The ICO has signalled a "measured approach" to enforcement during the transition period, particularly where its own guidance is still being finalised. This is not an invitation to ignore the deadline. It means the ICO is unlikely to fine a small business on day one for getting a minor detail wrong, provided you have made a genuine effort to comply.
What the ICO will not tolerate is having nothing at all. If 19 June passes and you have no complaints procedure, no acknowledgement process, and no way for people to raise data protection concerns, you have a problem.
The complaints procedure does not replace anything you are already required to do. You still need a Record of Processing Activities (ROPA), valid legal bases for processing, data processing agreements with your vendors, and a privacy policy. The complaints procedure sits alongside these as an additional requirement.
If you already have your GDPR fundamentals in order, adding a complaints procedure is straightforward. If you do not, this deadline is a good reason to sort everything out at once.
Not sure whether your business is covered?
Rowpa generates your full ROPA, privacy policy, and vendor compliance checks in 15 minutes.
This post is for information only and does not constitute legal advice.