Do small businesses need a DUAA complaints procedure?

Yes. If your organisation is a UK data controller, you need a process for handling data protection complaints — regardless of size, sector, or how few complaints you expect.

No SME exemption

The Data (Use and Access) Act 2025 applies to all controllers with no exceptions. A five-person shop has the same statutory duty as a multinational.

The ICO’s guidance is explicit: you must give people a way to complain, acknowledge within 30 days, investigate without undue delay, and keep records.

”We hardly get complaints”

Low volume does not remove the obligation. You still need:

• A way to receive complaints (form, email, or equivalent)
• Staff who can recognise and escalate data protection complaints
• Records showing how complaints were handled if the ICO asks

A spreadsheet and shared inbox can work if disciplined — but they break under staff turnover and lack deadline automation.

What small businesses actually need

Most SMEs do not need a €450/month GRC platform. They need:

1. A written procedure (our free template is a start)
2. A visible intake route on their website
3. Deadline tracking for the 30-day acknowledgement
4. An audit trail if the ICO or a client asks

That’s what ComplaintsDesk is built for — complaints only, from £12/month at launch.

Next steps

1. Download the free procedure template
2. Read the DUAA complaints procedure guide
3. Join the waitlist for early access