Compliance

New ICO Requirement: Every UK Business Needs a Complaints Procedure by June 2026

·2 min read ·Updated April 11, 2026
NEW ICO RULE

From 19 June 2026, every UK organisation that processes personal data must have a formal data protection complaints procedure in place. This is a new requirement introduced by the Data Use and Access Act 2025.

This is not a suggestion or best practice recommendation. It is a legal requirement with a specific deadline. If your business collects any personal data — customer names, email addresses, payment details, even website analytics — this applies to you.

What the requirement actually means

You need a documented process for how your business receives, handles, and responds to data protection complaints from individuals. This means having a way for people to submit complaints about how you handle their data, a process for investigating those complaints, defined timeframes for responding, and a record of complaints received and how they were resolved.

This does not need to be complicated. For a small business, it could be as simple as a dedicated email address, a written procedure document, and a spreadsheet to log complaints.

What a basic procedure looks like

For most small businesses, this covers four things. First, a contact point — an email address where people can send data protection complaints. Second, an acknowledgement timeframe — confirm receipt within a set number of working days. Third, an investigation process — describe how you will look into the complaint. Fourth, a response timeframe — respond with your findings within one calendar month, which aligns with the existing UK GDPR timeframe for data subject requests.

Add this information to your privacy policy. Create an internal document that your team (even if that team is just you) can follow. Keep a log of any complaints received.

What happens if you do not comply

The Data Use and Access Act 2025 has aligned PECR fines with UK GDPR levels. The ICO can now fine up to 17.5 million pounds. While the ICO takes a proportionate approach and is unlikely to issue maximum fines to small businesses for procedural failures, not having a complaints procedure removes a basic safeguard that the ICO expects to see.

More practically, if someone complains about your business to the ICO and the ICO asks to see your complaints procedure and you do not have one, that is a separate compliance failure on top of whatever the original complaint was about.

The deadline is 19 June 2026

You have time to set this up, but not much. Draft the procedure, add it to your privacy policy, create the complaints log, and brief anyone in your business who might receive a complaint. This is a one-afternoon task that protects you from a much larger problem.

Want to check your website? LaunchKitty scans your site across 14 dimensions in 30 seconds. Free scan, no signup needed. Scan your website now.

Share this