Britain’s small and medium-sized businesses have been put on notice. From 19 June 2026, exactly one month from today, every organisation that handles personal data will, by law, be required to operate a formal complaints process. Those that fail to prepare risk regulatory action, reputational damage and the slow drip of customer trust eroding away.
The new obligations flow from section 103 of the Data (Use and Access) Act 2025, the most significant reshaping of the UK’s data protection landscape since the post-Brexit settlement. And in a clear signal that the Information Commissioner’s Office is anxious to avoid a repeat of the GDPR scramble of 2018, deputy commissioner Emily Keaney has used the four-week countdown to issue a direct appeal to the smaller end of the market.
“There is still plenty of time to act, and the ICO is here to support you,” Ms Keaney said. “We know that smaller organisations are less likely to have formal complaints processes in place, and that is exactly why we have designed this guidance with you in mind.”
What the new law actually requires
For SME owners and finance directors who have not yet digested the detail, the statutory obligations are mercifully short. Under the new regime, every organisation must give individuals a clear and accessible route to raise a data protection complaint, whether by email, online form, telephone or post. Receipt of a complaint must be acknowledged within 30 days. Businesses must then, “without undue delay”, take appropriate steps to investigate, keep the complainant informed of progress, and communicate the outcome.
Crucially, there are no carve-outs. The rules apply to the corner shop with a customer mailing list just as much as to the FTSE 250 financial services firm. Privacy notices will also need updating to make clear that customers have a right to complain directly to the organisation before escalating to the regulator.
Why this matters more than it might look
On paper, the changes appear modest, a tweak to administrative housekeeping rather than the seismic shock that GDPR delivered seven years ago. But seasoned compliance professionals warn that complacency would be a mistake.
For the first time, individuals will have a statutory right to complain directly to the organisation handling their data, and to expect a structured response within a defined timeframe. That changes the calculus on everything from subject access requests to the handling of data breaches. The ICO has indicated that sectors generating the highest volume of complaints, healthcare, financial services, technology and retail, should expect particular scrutiny.
There is also a commercial logic at work. Resolving a grievance quickly and fairly tends to prevent it from metastasising into something more serious, whether a formal regulatory referral or a customer departure. As any SME operator who has watched a one-star Trustpilot review go viral can attest, the cost of getting the response wrong can dwarf the cost of getting the process right. The wider context is one of rising data risk, with the ICO already pressing the technology sector to embed privacy by design into AI products, a sign of how high the regulatory bar is climbing.
The ICO’s olive branch
The regulator’s tone this time is markedly different from the rather schoolmasterly approach that characterised the early GDPR rollout. The guidance, published in February following a public consultation that drew more than 85 responses, is studded with practical examples and worked-through scenarios pitched squarely at smaller firms without dedicated compliance teams.
“A data protection complaint can come from any customer at any time,” Ms Keaney noted. “Having a clear process means you can respond quickly, resolve issues fairly and protect the trust your customers place in you. We are not here to catch businesses out, we are here to help you get ready.”
That conciliatory framing should not, however, be mistaken for indefinite patience. Once the 19 June commencement date passes, the ICO will have the power to take enforcement action against organisations that fail to operate a compliant process, and the line between supportive regulator and active enforcer can move quickly.
A four-week action list
For business owners still unsure where to begin, the practical steps are reasonably straightforward. Decide who inside the business will own the complaints process and ensure they have the authority to investigate and respond. Build a simple, visible route for customers to raise complaints — usually a dedicated email address or web form, signposted in the privacy notice. Document the workflow, including how the 30-day acknowledgement deadline will be met. Train any customer-facing staff on what to do if a complaint lands in their inbox.
Owners who already operate under data protection frameworks will recognise much of this from existing good practice. For a refresher on the broader compliance landscape, our complete guide to GDPR compliance in the UK sets out the foundations, while our explainer on the difference between data controllers and processors is worth bookmarking for any business that shares customer data with third parties.
The bottom line
For Britain’s 5.5 million SMEs, the message from regulators is clear: 19 June is not a target, it is a deadline. The four weeks ahead are not an invitation to delay, but a window to prepare. Done well, the new complaints process is a modest piece of administrative plumbing that can quietly strengthen customer relationships. Done badly, or not at all, it is a regulatory exposure that few small businesses can afford to carry.
The ICO has, unusually, all but rolled out a welcome mat. The smart move for SME owners is to walk through the door before someone else knocks.
Read more:
ICO Warns SMEs: one month to comply with new Data Complaints Law
