DUAA Complaints Procedure Checklist for Small Businesses
From 19 June 2026 every UK controller must have a process for handling data protection complaints. There is no small business exemption, so a two-person firm has the same duty as a large employer.
The good news is that the duty is manageable. You do not need a large compliance team, you need a clear route to complain, a way to acknowledge within 30 days, and a record of what you did.
This checklist gets you to a compliant position quickly. For the full detail behind each point, see our data protection complaints procedure guide.
The Checklist
| Step | Action | Done when |
|---|---|---|
| 1 | Decide who owns data protection complaints in your business | A named person is responsible |
| 2 | Create a complaint form people can complete electronically, plus an alternative route such as email or post | Both routes are live and easy to find |
| 3 | Publish how to complain on your website and in your privacy notice | The route is visible to customers and staff |
| 4 | Set up a simple log to record the date each complaint is received | You can prove when the 30-day clock started |
| 5 | Draft a standard acknowledgement to send within 30 days | A template is ready to use |
| 6 | Agree how you will investigate and respond without undue delay | The steps are written down |
| 7 | Record the outcome of each complaint and tell the complainant | Every complaint has a logged result |
| 8 | Tell complainants they can escalate to the ICO if still dissatisfied | The escalation line is in your response template |
What You Do Not Need
You do not need expensive software or a dedicated complaints team. A shared inbox, a simple spreadsheet log and two short templates cover the duty for most small businesses.
What matters is that the route to complain is genuinely easy to use, the 30-day acknowledgement is reliable, and you keep a record. Those three things are what an investigator would look for.
Common Small Business Mistakes
- Treating a general contact form as a complaints route without ever labelling it as one.
- No log, so there is no way to show the complaint was acknowledged inside 30 days.
- The named owner leaves and nobody picks up the duty.
- Responding to the complaint but never recording the outcome.
- Assuming the business is too small to be in scope. It is not.
How Policy Pros Can Help
We give small businesses a ready-to-use complaints procedure, complaint form wording and acknowledgement template that meet the section 103 duties, sized for a small team rather than a corporate compliance function.
Pair it with our GDPR consultancy and privacy policy writing services so your privacy notice points people to the new complaints route. For small firms tackling the wider Act, see our DUAA 2025 employer guide.
Frequently Asked Questions
Are small businesses exempt from the DUAA complaints duty?
No. The data protection complaints duty under section 103 of the DUAA applies to every controller, with no exemption for small businesses or sole traders. If you handle personal data you need a complaints process in place by 19 June 2026.
What is the minimum a small business needs?
At a minimum you need a clear route to complain including an electronic complaint form, a named owner, a log recording when each complaint arrives, an acknowledgement sent within 30 days, and a record of the outcome. A shared inbox, a spreadsheet and two templates are usually enough.
How long do we have to acknowledge a complaint?
You must acknowledge receipt within 30 days, then respond without undue delay and tell the complainant the outcome. Keeping a dated log is the simplest way to prove you met the 30-day deadline.
