DUAA Complaints Process for Small Businesses: SME Guide

Under the **Data (Use and Access) Act 2025 (DUAA)**, which comes into force on **19 June 2026**, UK organisations acting as data controllers must operate a documented complaints procedure. Small businesses, startups, sole traders, and local clubs are all covered under these updated rules.

Does the DUAA Complaints Duty Apply to Small Businesses?

Yes. The duty to handle data protection complaints is determined by your role as a **data controller**, not by the size of your business or headcount. If you process customer names, billing information, contractor records, website IP addresses, or employee payroll, you are a data controller under UK law.

As a result, sole traders, micro-businesses, local clubs, and small charities must comply with the 19 June 2026 deadline.

Key DUAA Requirements for UK SMEs

Setting up a DUAA-compliant complaints procedure involves:

• Publicly visible policy: A simple document published on your website outlining the complaints process.
• Complaints Lead / Contact: A designated individual in your team assigned to handle data complaints (no formal DPO required).
• Written 30-Day SLA Receipts: Ensuring all incoming data complaints are formally acknowledged within 30 calendar days.
• Internal Complaints Log (CSV): Keeping record files of all incoming complaints, acknowledgment dates, outcomes, and remedial actions.

Reducing Regulatory Scrutiny

Failing to have a complaints process may increase regulatory risk, ICO scrutiny, and the likelihood of escalation. If a customer is unhappy with how you handle their personal data, they can complain to the ICO. Under the DUAA, the ICO will expect you to have a documented policy and tracking log in place.

Bespoke legal drafting can be expensive, often costing upwards of £400 from commercial solicitors. The DUAA Shield pack gives small organisations a practical, ready-to-adapt starting point for a one-time £20 fee.

Frequently Asked Questions