No, you don't need a web form for data complaints

· Carl Heaton · Security Commentary

From 19 June 2026, every UK organisation that handles personal data has to operate a process for data protection complaints. The duty comes from section 103 of the Data (Use and Access) Act 2025, which inserts a new section 164A into the Data Protection Act 2018. It applies to every controller, including small businesses and charities.

The deadline is real. The duty is real. A lot of the guidance circulating about how to meet it is overstated.

What the law actually says

Here is the operative sentence on facilitation, in full:

"A controller must facilitate the making of complaints under this section by taking steps such as providing a complaint form which can be completed electronically and by other means."

The phrase that matters is "such as." It is the statutory equivalent of "for example." A complaint form is one way of facilitating complaints. It is not a legal requirement. The ICO's own February 2026 guidance confirms this. It lists a complaint form, an email address, a phone line, a portal, a live chat, and "in person" as equally valid options for satisfying the duty. The specific method is your choice.

The statute also tells you what you must do with whatever route you provide:

  • Acknowledge receipt within 30 days.
  • Take appropriate steps in response, including making reasonable enquiries.
  • Keep the complainant informed of progress, and tell them the outcome.

And a critical point that is easy to miss: a complaint does not have to arrive through your designated route. If someone phones, emails, tweets, or stops you in the corridor with a data protection complaint, that counts. You can invite people to use a specific channel. You cannot reject a complaint because they didn't.

Why "you must have a web form" keeps appearing

Read a dozen law-firm briefings on the new regime and you will find roughly two readings of the same statute. The accurate one says "facilitate by some reasonable means, form is one example." The overstated one says "an electronic form plus at least one alternative route such as email or post." The second version has spread because it sounds like a tidy two-item checklist and is easier to advise on than "demonstrate facilitation."

There is no harm in having a form. Several large organisations will choose one for accessibility and audit reasons. The problem is that the overstated reading is now reaching SMEs as "you must build a privacy compliance portal by June," and a procurement conversation about that is precisely the sort of thing the new regime did not require.

What an SME actually needs

A workable process for a 20-person business is short.

  • A clearly named complaints route. A dedicated email address (privacy@… or dataprotection@…) on the privacy page, signposted with the words "data protection complaint" rather than buried in a generic contact form. The ICO's guidance is explicit that an email address is sufficient. If you prefer a form, use a form. If you prefer a phone number, use a phone number. The duty is to facilitate, not to platform.
  • A 30-day acknowledgement commitment in your privacy policy. This is the only statutory time limit on the controller side. Most SMEs can comfortably commit to faster, but the floor is 30 days.
  • A statement that complainants should come to you first. Most privacy policies currently say "if you have a complaint, contact the ICO." From 19 June that is the wrong order. The complainant should raise the concern with the controller first; the ICO is the escalation route if the controller doesn't respond or the response is unsatisfactory.
  • A named owner. One person who reads the inbox, logs the complaint, decides on the response, and signs it off. In a small business that is usually the operations director or company secretary. Not the marketing team.
  • A simple log. Date received, who from, what they alleged, what you investigated, when you replied, the outcome. A single spreadsheet is fine. The log is what you produce if the ICO asks whether you operate the process.

Everything else is optional. A separate /privacy-complaints page is fine. A form is fine. A live chat is fine. None of those is required by the statute.

What this exposes about how compliance gets sold

The drift from "facilitate" to "must have an electronic form" is small, but it is the seam where compliance theatre gets in. A web form is something an SME can be sold. "Read the legislation, commit to a 30-day reply, and update the relevant paragraph in your privacy policy" is something an SME can do this afternoon, without buying anything.

Both reach the same destination. One of them is more expensive and creates an impressive-looking page in the privacy section. The other is what the law actually asks for.

What to do this month

  • Pick the route (email is fine; phone or form if you prefer).
  • Pick the owner.
  • Add a paragraph to your privacy policy with the route, the 30-day acknowledgement, and the "complain to us first" wording.
  • Write the acknowledgement template.
  • Decide where the log lives.

That is the entire piece of work for most small businesses. None of it requires new software. None of it requires a web form.

How Steelwise can help

Reading what the legislation actually says, deciding what fits a small business that doesn't need a portal, and joining it up with the privacy policy you've already got is the kind of work we do for clients. Get in touch.

Further reading

← All filings

We use cookies to understand how visitors use this site. More information.