A compliance deadline most small businesses have not heard of arrives on 19 June: under the Data (Use and Access) Act 2026, every organisation regardless of size must have a formal process for handling data protection complaints.
The requirement comes from the Data (Use and Access) Act 2026, which received Royal Assent earlier this year and introduces the first formal complaint-handling obligations that apply uniformly to businesses of all sizes. From 19 June, organisations must provide accessible channels for individuals to raise concerns about data handling, acknowledge complaints within 30 days, and communicate outcomes without undue delay.
Unlike previous data protection frameworks that have allowed informal arrangements for smaller organisations, the DUAA offers no SME exemptions. Any business that collects, stores, or processes personal data falls within scope.
The deadline intersects with an increasingly hostile threat environment for smaller organisations. Several high-profile breaches affecting major UK brands in recent years have been traced back to third-party suppliers — often smaller firms with weaker controls — rather than to the primary organisation itself. For attackers, the supply chain offers a lower-resistance route in.
Northdoor, a managed services and IT consultancy based in London, is pointing customers toward the UK government-backed Cyber Essentials scheme as a baseline certification that addresses some of the same controls implicated in supply chain attacks: patch management, access control, secure configuration, and malware protection. The ICO has indicated that Cyber Essentials certification will be a relevant factor in assessing whether an organisation took reasonable steps when a breach occurs.
For SMEs that have not yet mapped their data complaint workflows, the three-week window is tight but workable. The core requirement is a documented process: who receives complaints, how they are tracked, when acknowledgements go out, and how outcomes are recorded and communicated. The challenge is less technical than procedural.
