What the UK’s Data (Use and Access) Act 2025 Means for Small Businesses and What You Should Do Now

On 30 June 2025, the UK Government passed the Data (Use and Access) Act 2025, a new law designed to update and simplify the UK’s data protection rules. This Act introduces several important changes that affect how small and micro businesses collect, process, and manage personal data. 

While the aim is to modernise data protection and help businesses innovate, especially around automated processing and consent, the new rules also bring increased responsibilities and higher fines for non-compliance. Below, we explain what the Act means for your business and the practical steps you should take to stay on the right side of the law. 

 

Key Changes Under the Data (Use and Access) Act 2025

Simplified Cookie Consent

Previously, cookie banners could be complicated and intrusive, often frustrating users. The new Act allows for implied consent in certain low-risk situations, making cookie consent easier to manage. However, businesses must still: 

  • Use clear, plain language on cookie banners and policies. 
  • Group cookies by purpose such as analytics or advertising. 
  • Give users an easy option to opt out of non-essential cookies. 
  • Keep records of consent and preferences. 

Action: Review your website’s cookie banner and policy to ensure they meet these criteria. 

 

Broader Permissions for Automated Data Processing

The Act recognises the growing use of automation and AI, including chatbots, marketing automation tools, credit scoring, and hiring filters. It allows more flexibility for automated decision-making as long as there is transparency and users have the option to opt out or request manual review. 

Action: 

  • Audit your business processes for automated elements. 
  • Update your privacy policy to clearly explain how automation is used. 
  • Provide users with information and options if decisions affect them significantly. 

 

Streamlined Data Subject Access Requests (DSARs)

Responding to DSAR (requests from individuals to see what data you hold about them) is now expected to be faster and simpler. The deadline remains one month but there is a push for easier management. 

Action: 

  • Set up a simple DSAR process via email or website. 
  • Prepare template responses to speed up replies. 
  • Assign responsibility even if just yourself. 
  • Only ask for ID verification when necessary and proportionate. 
  • Log all requests and your responses. 

 

Clearer, More Transparent Privacy Policies

The Act places increased emphasis on plain English privacy notices that clearly state: 

  • What personal data you collect 
  • Why you collect it 
  • How you process it including automated processing 
  • Who you share it with 
  • How long you keep it 
  • User rights and how to exercise them 

Action: Rewrite your privacy policy to make it easy to understand and ensure it is easy to find on your website. 

 

Staff Training and Documentation

Fines for data breaches and non-compliance have increased significantly. Ignorance is no defence so everyone handling data must understand their responsibilities. 

Action: 

  • Provide annual refresher training for staff. 
  • If you are a solo business, document your compliance activities carefully. 

 

Reassess Your Legal Basis for Processing Data

While the lawful bases from GDPR remain, the Act offers more flexibility in some areas but still requires balance and documentation. 

Action: 

  • Review your legal basis for each data use such as consent, contract, legitimate interest. 
  • Avoid misusing “legitimate interest” by ensuring it passes the three-part test: genuine reason, necessity, and balance against individual rights. 
  • Document your decisions in a Legitimate Interest Assessment (LIA). 

 

Review Third-Party Data Processors

Although there is no direct change here, higher fines mean you need to be more careful about the platforms and suppliers you use that process data on your behalf such as CRMs, email marketing, or booking tools. 

Action: 

  • Check contracts and compliance assurances from your suppliers. 
  • Use only UK or EU-compliant services with clear data protection terms. 

 

Keep Clear Records– The Accountability Principle

The Act reinforces the need to keep basic records showing how you handle personal data including: 

  • What data you collect 
  • Why you collect it 
  • Who you share it with 
  • Your legal basis for processing 
  • How long you keep data 

Action: Maintain a simple Data Protection Record such as a spreadsheet or document for internal use. 

 

Assess Your Risk of Data Breach

With higher fines and reputational damage at stake, even small breaches matter. 

Action: 

  • Use secure passwords and enable two-factor authentication. 
  • Encrypt sensitive data and keep regular backups. 
  • Protect email accounts carefully. 
  • Have a basic breach response plan covering what to do, who to notify, and when to report to the ICO within 72 hours if there is a risk to individuals. 

 

Keep an Eye on EU Data Adequacy

The UK’s data adequacy status with the EU could be reviewed due to these changes. If adequacy is withdrawn, additional safeguards like Standard Contractual Clauses may be necessary for handling EU personal data. 

Action: 

  • Monitor EU adequacy status updates if you work with EU customers. 
  • Consider using UK or EU-compliant platforms for EU data transfers. 

 

Understanding Legitimate Interest for Marketing 

Legitimate interest remains a valid lawful basis to process personal data without consent if: 

  • You have a genuine business reason 
  • The processing is necessary 
  • It does not override the individual’s rights 

When can you use it? 

  • Marketing to existing customers 
  • Marketing to people who have shown clear interest such as downloaded a guide 
  • Re-engaging warm leads or business contacts (B2B) 

When is it NOT appropriate? 

  • Cold marketing to individuals with no prior interaction 
  • Using purchased lists without consent 
  • Adding people after scraping public data 

Action: If using legitimate interest for marketing, complete a Legitimate Interest Assessment, be transparent in your privacy policy, provide easy opt-outs, and respect those opt-outs immediately. 

 

What is a Data Register and Why You Need One 

A Data Register (or Record of Processing Activities) is a simple document that tracks: 

  • Types of personal data collected 
  • Reasons for collection 
  • Legal basis 
  • Storage locations 
  • Data sharing 
  • Retention periods 

It helps you show compliance to the ICO, speeds up DSARs, and clarifies responsibilities internally. 

 

Final Thoughts 

The Data (Use and Access) Act 2025 introduces important changes to help businesses manage data more efficiently and transparently. While it simplifies some processes, it also raises expectations for accountability and transparency with stricter penalties for non-compliance. 

If you run a micro or small business, now is the time to review your data practices, update policies, and train staff or yourself on the new rules. 

If you would like help understanding or implementing the changes mentioned. We offer a free 30 min consultation with our specialists.

Talk to a Digital Expert

Contact Us