There's a date coming up that a lot of UK businesses don't know about yet: 19 June 2026.
That's when a new requirement under the Data (Use and Access) Act 2025 comes into force. From that date, every UK organisation must have a formal process for handling data protection complaints — and must acknowledge those complaints within 30 days.
No exemptions. No grace period for small businesses. Every organisation.
If you haven't started preparing, now is the time.
What the New Requirement Actually Says
The Data (Use and Access) Act 2025 introduces a statutory right for individuals to raise data protection concerns directly with the organisations that hold their data. This is sometimes called the 'right to complain', and it places a clear obligation on businesses to:
- Provide a straightforward way for individuals to raise concerns about how their personal data has been handled
- Acknowledge complaints formally within 30 days
- Be able to demonstrate how data has been processed, stored and protected
This isn't just a paperwork exercise. If someone complains that their data was handled incorrectly, shared without consent, or lost in a breach, you need to be able to investigate that claim properly and respond with substance.
Which means you need to be able to find the data in the first place.
Why Backup and Data Management Are Now Compliance Issues
Here's where a lot of SMBs will run into trouble.
Responding to a data complaint isn't just about writing a polite acknowledgement. It means being able to locate specific personal data across your systems, understand what happened to it, explain how it's been protected, and — if something went wrong — show what controls you had in place.
If your data is scattered across unmanaged systems, retained inconsistently, or backed up in ways you can't easily interrogate, that becomes a serious problem very quickly. A complaint lands, the 30-day clock starts, and you're scrambling through fragmented records trying to piece together an answer.
This is especially relevant for businesses relying on default Microsoft 365 settings. The built-in retention in Microsoft 365 is not a backup strategy. Emails get deleted. SharePoint data gets overwritten. If a complaint involves data from six months ago that's no longer in your live systems, can you actually retrieve it?
The ICO Is Not Being Lenient
It's worth being clear about the regulatory environment this is happening in. The ICO has significantly increased the scale of its enforcement activity in recent years.
Capita received a £14 million fine following a data breach that exposed personal data belonging to millions of people. LastPass received a £1.2 million fine for security failures. These aren't one-off examples — they reflect a clear shift towards treating data security failures as serious regulatory matters with serious financial consequences.
The June 2026 complaints regime gives the ICO a more direct route to identify organisations that aren't managing personal data properly. If complaints come in and businesses can't respond adequately, that's a visible compliance failure. It creates a paper trail that regulators can follow.
SMBs shouldn't assume that being small makes them less visible. The ICO has made clear that the size of an organisation is not a reason to treat data protection obligations as optional.
What You Should Be Doing Before June 2026
The practical steps here are not complicated, but they do require action now rather than in May next year.
Know what data you hold and where it lives. You can't respond to complaints about data you can't find. Audit your systems, understand your data flows, and know how personal data moves through your business.
Make sure your backup strategy actually works. This means tested, recoverable backups that cover your critical systems — including your email and collaboration tools, not just your servers. If you needed to retrieve a specific piece of personal data from three months ago, could you do it today?
Set up a formal complaints process. Designate who handles data complaints, document the process, and make sure there's a clear route for individuals to raise concerns. This doesn't need to be elaborate, but it does need to exist.
Review your data retention policies. Holding personal data longer than necessary creates risk; deleting it too early can leave you unable to respond to legitimate requests. Your retention policy should be deliberate, not accidental.
Test your ability to respond. Run a mock subject access request or complaint through your systems. If you can't complete it comfortably, that's the gap you need to fix.
This Is Manageable — If You Start Now
The June 2026 deadline is specific enough that you can plan for it. Businesses that get their data management and backup in order before then will be in a strong position. Those that don't will find themselves trying to meet a 30-day complaint response window with systems that weren't designed to support it.
The connection between backup and compliance isn't theoretical. It's practical. If you can't find your data, you can't protect it — and you can't prove you did.
Not sure whether your current backup setup would support a data complaint investigation? Talk to IronFell. We work with UK businesses to make sure their data is protected, recoverable, and manageable — so compliance doesn't become a crisis. Get in touch with IronFell today.