British small and medium businesses have been put on notice. From 19 June 2026, exactly one month from today, every organization that handles personal data will, by law, be required to use a formal complaints procedure. Those who fail to prepare for risk management action, reputational damage and a trickle of customer trust are lost.
The new obligations flow from section 103 of the Data (Use and Access) Act 2025, the most significant reshaping of the UK’s data protection landscape since the Brexit settlement. And in a clear sign that the Information Commissioner’s Office is concerned about avoiding a repeat of 2018’s GDPR scramble, deputy commissioner Emily Keaney has used a four-week countdown to issue a specific complaint at the small end of the market.
“There is still a lot of work to do, and the ICO is here to support you,” Ms Keaney said. “We know that smaller organizations are less likely to have formal complaints procedures, which is why we’ve designed this guide with you in mind.”
What the new law requires
For SME owners and finance directors who are not yet familiar with the details, the legal obligations are mercifully short. Under the new regime, every organization must provide people with a clear and accessible way to raise a data protection complaint, whether by email, online form, phone or post. The receipt of the complaint must be acknowledged within 30 days. Businesses must then, “without undue delay”, take appropriate investigative steps, inform the complainant of the progress, and communicate the outcome.
Importantly, there are no diagnostic procedures. The rules apply to a corner shop with a customer mailing list as much as they do to an FTSE 250 financial services company. Privacy notices will also need to be revised to make it clear that customers have the right to complain directly to the organization before going to the regulator.
Why this is more important than looks
On paper, the changes seem modest, a tweak to administrative housekeeping rather than the shock of GDPR seven years ago. But veteran listening experts warn that complacency can be a mistake.
For the first time, individuals will have the legal right to complain directly to the organization that manages their data, and expect a formal response within a set period of time. That changes the calculus for everything from subject access requests to handling data breaches. The ICO has indicated that sectors that generate a high volume of complaints, healthcare, financial services, technology and retail, should expect some scrutiny.
There is also a commercial logic at work. Resolving a complaint quickly and correctly often prevents it from turning into something more serious, be it a formal legal referral or customer departure. As any SME operator who has watched a one-star Trustpilot review can attest, the cost of getting the wrong answer can outweigh the cost of getting the process right. The broader context is one of growing data risks, the ICO is already pushing the tech sector to embed privacy by design into AI products, a sign of how the regulatory bar is rising.
Olive branch of ICO
The regulator’s tone this time is markedly different from the school management approach that characterized the original GDPR release. The guidance, which was published in February after a public consultation that received more than 85 responses, is full of practical examples and use cases aimed specifically at small firms without dedicated compliance teams.
“A data protection complaint can come from any customer at any time,” Ms Keaney noted. “Having a clear process means you can respond quickly, resolve issues appropriately and protect the trust your customers place in you. We’re here to capture businesses, we’re here to help you prepare.”
However, that reconciliation arrangement should not be mistaken for endless patience. If the first day of 19 June passes, the ICO will have the power to take enforcement action against organizations that fail to comply with the relevant process, and the line between a supportive regulator and an active watchdog can move quickly.
A four-week action list
For business owners who aren’t sure where to start, the practical steps are straightforward. Decide who within the business will own the complaints process and ensure they have the authority to investigate and respond. Create an easy, visible way for customers to express complaints – usually a dedicated email address or web form, signed in a privacy notice. Write a workflow, including how the 30-day deadline will be met. Train any customer-facing staff on what to do when a complaint arrives in their inbox.
Owners who already operate under data protection frameworks will recognize many of these best practices in place. For a refresher on country-wide compliance, our comprehensive guide to GDPR compliance in the UK lays out the basics, while our explainer on the differences between data controllers and processors is worth bookmarking for any business that shares customer data with third parties.
An important point
For Britain’s 5.5 million SMEs, the message from regulators is clear: 19 June is not a target, it is a deadline. The next four weeks are not an invitation to procrastinate, but a window to prepare. Done right, the new complaints process is a neat piece of administrative plumbing that can quietly strengthen customer relationships. Done poorly, or not, it’s a manageable exposure that small businesses can’t afford.
The ICO, unusually, rolled out the welcome mat. A smart move for SME owners is to get in the door before someone else knocks.
