Build a GDPR Complaint Log Before June 2026: Practical Template for UK SMEs

From 19 June 2026, every UK controller – including small companies – must operate a formal data protection complaints process and acknowledge complaints within a statutory 30-day window, under section 103 of the Data (Use and Access) Act 2025 and related amendments to the Data Protection Act 2018. ICO's own statement on the commencement of the Act makes clear that this new complaints duty sits alongside strengthened enforcement powers, including the ability to issue monetary penalties of up to £17.5 million or 4% of global annual turnover for serious breaches under privacy legislation.

What changes in June 2026

Section 103 of the Data (Use and Access) Act 2025 inserts a new section 164A into the Data Protection Act 2018, creating a statutory right for data subjects to complain directly to controllers where they believe UK GDPR or the Data Protection Act has been infringed. Commencement regulations confirm that the new duties on controllers to handle complaints apply only to complaints received on or after 19 June 2026.

ICO's guidance on "How to deal with data protection complaints" explains that from that date, controllers must have a complaints process that allows people to raise data protection complaints directly with them before going to the ICO. The guidance states that organisations must: give people a way to make data protection complaints, acknowledge complaints within 30 days of receiving them, take appropriate steps without undue delay to investigate and respond, keep people informed, and clearly explain the outcome. Per current ICO draft guidance, organisations should normally provide the outcome within three months of receiving the complaint unless exceptional circumstances apply; this is draft guidance rather than a statutory deadline, but it sets the expectation the regulator will apply in practice.

These duties are framed in law as applying to "a controller", with no carve-out for small organisations, and ICO's small business advice confirms that the regulator expects individuals to complain to the organisation first and for even small businesses to be able to respond clearly. In practice, that means every limited company or SME that determines the purposes and means of processing personal data will need a documented complaints process and a way of evidencing how each complaint was handled.

What a compliant complaint log must contain

A written complaints log is not named explicitly in the Act, but ICO's complaint-handling guidance and its accountability tools assume that organisations can show how they received, assessed and resolved data protection complaints. ICO's records-management framework also warns that undocumented processes and poor records may breach the accountability principle in Article 5(2) UK GDPR, because you cannot demonstrate what you did.

For most SMEs, a central complaints log is the simplest way to evidence compliance with the new statutory duty and to feed into your wider records of processing under Article 30 UK GDPR. The log can sit in a spreadsheet, helpdesk system or case-management tool, provided it captures the necessary information and can be produced to the ICO on request.

Minimum fields

At a minimum, your GDPR complaint log for June 2026 onwards should capture the following fields, aligned with ICO's complaint-handling guidance and the legal requirement to acknowledge within 30 days:

• Date received – the calendar date the organisation actually receives the complaint, because the 30-day acknowledgement period runs from the day after receipt, with examples in ICO guidance clarifying how weekends and public holidays are counted.
• Complainant identity and contact details – enough information to identify the individual or their representative and to communicate updates and the outcome, reflecting ICO's expectation that you record preferred contact methods and keep people informed.
• Data subject on whose behalf the complaint is made – where a complaint is made by a representative, you should note whose data the complaint concerns and record the authority you have verified, as ICO stresses you must not investigate without appropriate authority.
• Nature of the complaint – a short description of the issue (for example, failure to respond to a subject access request, alleged unlawful marketing, insecure processing), which aligns with the categories of issues ICO sees in its caseload, such as failures to comply with subject access and erasure requests or inaccurate personal data.
• Relevant processing activity / system – which system, process or business area the complaint relates to (payroll, marketing list, HR records, accounting platform), so that it can be traced back to your records of processing activities under Article 30 UK GDPR.
• Lawful basis and rights involved (reviewed) – a note of the lawful basis you relied on for the processing in question (for example, contract, legal obligation, legitimate interests) and any data subject rights engaged, to demonstrate you have considered UK GDPR requirements.
• Key investigation steps – a brief record of what you did (documents reviewed, systems checked, staff consulted), consistent with ICO's expectation that organisations investigate thoroughly, fairly and accurately.
• Outcome – whether you upheld, partially upheld or rejected the complaint, and why, as ICO guidance emphasises clearly explaining your findings and how you reached them.
• Remedial actions taken – any corrective steps (for example, updating records, changing a process, providing a late subject access response, or tightening marketing preferences), which will be central if the ICO later asks how you addressed the issue.
• Date acknowledged – when you sent the acknowledgement, to evidence that it was within the statutory 30-day period set by section 103 DUA Act and ICO guidance.
• Date closed – when you provided your outcome to the complainant, along with a note that you informed them of their right to escalate to the ICO, which ICO expects you to do at appropriate points.

Capturing these fields consistently will allow you to demonstrate that every complaint received after 19 June 2026 was acknowledged within 30 days and handled in line with ICO guidance, and will also make it easier to spot recurring issues and training needs.

Retention and access — tie to UK GDPR Article 30 records

The new complaints duty sits within the wider accountability framework of UK GDPR, including the obligation to maintain records of processing activities under Article 30. ICO's documentation guidance explains that organisations should record, among other things, the purposes of processing, categories of individuals and data, recipients, transfers and, where possible, envisaged time limits for erasure of different categories of data.

Although there is no specific statutory retention period for complaint logs, ICO's records-management framework emphasises that records management processes must be documented and reviewed, and that poor retention practices can breach the accountability principle in Article 5(2) UK GDPR. A practical approach for SMEs is to treat the complaints log as part of your records of processing: define a retention period in your retention schedule, ensure it is long enough to handle repeat issues and potential ICO enquiries, and then delete or anonymise entries when no longer needed, in line with your broader retention policy.

Access to the complaints log should be limited to staff who need it to investigate complaints (for example, your data protection lead, operations lead, or relevant managers), consistent with ICO's expectations on appropriate technical and organisational measures and good records management. You should also be able to export or otherwise provide the log to the ICO promptly if asked, as part of demonstrating compliance with the new complaints regime.

Free complaint-log template for SMEs

Try the MBridge MTD & Compliance Checker →

Our Making Tax Digital and compliance checker is designed to flag whether your business has the supporting documentation it needs – including a GDPR complaint log, retention schedule and records of processing – rather than just a policy on paper. When you run through the checker before June 2026, it will highlight gaps such as missing complaints records, unlinked processing activities, or undocumented lawful bases, so you can fix them before the new statutory complaints duty takes effect.

Three mistakes SMEs make

1. Treating complaints informally and not recording them

ICO's small business guidance notes that individuals have the right to complain to you first and that the ICO expects you to have given a clear, detailed response before it decides whether further work is needed. A common SME mistake is to treat complaints as informal customer-service issues, responding by email or phone but never logging them, which leaves no evidence if the ICO later reviews the case.

Under the new statutory regime, section 103 DUA Act gives data subjects a formal right to complain to controllers, and ICO's complaint-handling impact assessment shows that the regulator will triage complaints using its new framework, looking at trends and repeat concerns about organisations. If the only record of your handling is scattered emails, it becomes much harder to demonstrate that you acknowledged within 30 days, investigated properly and applied the law correctly.

2. Mixing up complaints with subject access and other rights

ICO's FOI responses and guidance highlight that failures to comply with subject access requests, erasure requests and inaccurate data are recurring themes in enforcement and complaints. SMEs often fail to distinguish between a complaint about how data was handled and a formal subject access request or other rights request, leading to confusion about which process and timescales apply.

ICO's complaint-handling guidance makes clear that data protection complaints are a distinct process, with a 30-day acknowledgement duty and an expectation that you respond without undue delay, while UK GDPR sets separate statutory time limits for subject access and other rights. Your log should therefore record both the complaint and any linked subject access or rights requests, so that you can show you met each set of obligations separately.

3. Underestimating enforcement risk in a "big tech" enforcement climate

Recent ICO enforcement has focused on high-profile online platforms, such as a £14.47 million fine issued to Reddit for children's privacy failures and a substantial monetary penalty against MediaLab, owner of Imgur, for unlawful use of children's data. ICO has also highlighted, in the context of the Data (Use and Access) Act, that it can impose monetary penalties up to £17.5 million or 4% of global annual turnover under privacy and electronic communications law.

It is easy for SMEs to assume that this level of enforcement is only relevant to large technology companies, but ICO's powers apply to organisations of all sizes that breach UK GDPR or related legislation. In practice, many investigations into smaller organisations start with a single complaint or a subject access dispute, so having a robust complaints process and log is an important part of protecting your business in a stricter enforcement environment.

30-day rollout checklist before June 2026

With the new statutory complaints duties commencing on 19 June 2026, SMEs should plan a focused 30-day rollout to be ready in time. ICO's preparation guidance sets out practical steps organisations can take now, even before the duties formally apply, and confirms that following the guidance early is considered good practice.

A pragmatic 30-day plan might look like this, aligned to ICO's guidance and UK GDPR Article 30 documentation expectations:

• Map where complaints can arrive — Identify all routes by which someone could complain about data protection: contact forms, generic email addresses, customer portals, social media inboxes, phone, and in-person channels, reflecting the flexible submission options described in ICO's guidance.
• Design a simple, standardised intake process — Create a short internal checklist or form to capture the minimum fields in this article whenever a complaint comes in, in line with ICO's advice to clarify what evidence and information you need to investigate.
• Configure a central log — Set up a spreadsheet or case register capturing dates, complainant details, nature of complaint, linked processing activity, lawful basis, investigation steps, outcomes, actions and closure dates, so that you can demonstrate compliance with the 30-day acknowledgement duty and "without undue delay" response expectation.
• Align with Article 30 records of processing — Cross-reference each complaint entry to the relevant record of processing activity (for example, "Customer billing system – marketing emails" or "Payroll platform – employee records"), using ICO's templates and guidance on what must be documented.
• Update privacy notices and internal policies — Ensure your privacy notice tells people they can complain to you and the ICO, as ICO requires, and that your internal data protection policy explains who coordinates complaints, how they are logged, and how they link to other rights handling.
• Train front-line and back-office staff — Use ICO's guidance for small organisations and its accountability toolkit to brief staff on how to recognise a data protection complaint, how to route it to the right person, and why logging and timely acknowledgement matter.
• Test the 30-day acknowledgement process — Run a tabletop exercise: simulate a complaint, record it in the log, prepare an acknowledgement, and check that the process would work during holidays or staff absence, consistent with ICO's expectation that you make arrangements to cover such periods.
• Review retention and access controls for the log — Decide how long you will keep complaint entries, document this in your retention schedule, and ensure that access is restricted to those who need it, in line with ICO's records-management framework and accountability principles.

By executing these steps over a 30-day period, a typical SME can move from ad-hoc handling of privacy complaints to a documented, auditable process that meets the new statutory duty and integrates with existing GDPR records.

ICO & legislation sources

• ICO — How to deal with data protection complaints
• ICO — Statement on the commencement of the Data (Use and Access) Act
• Data (Use and Access) Act 2025, Section 103
• Commencement No. 6 Regulations 2026
• ICO — Article 30 records of processing
• ICO — Records management framework

This article is general information for UK SMEs and does not constitute legal advice.