The UK has new data protection laws. Again. But before you start panicking about another massive compliance overhaul, take a breath. This isn’t GDPR 2.0 – it’s more like GDPR 1.1.
The Data (Use and Access) Act 2025 became law on 19 June 2025¹, and while it sounds scary, most small and medium businesses won’t need to tear up their existing data protection policies and start again.
TL;DR: The new Act makes some helpful tweaks to existing rules², introduces some useful flexibilities for businesses, but also increases maximum penalties for certain marketing violations³. Most SMEs can stick with what they’re doing for now, but there are a few things worth knowing about. And crucially – most changes haven’t actually taken effect yet⁴.
What Actually Changed (And What Didn’t)
Here’s the thing that most articles won’t tell you upfront: your existing UK GDPR compliance still applies. The new Act doesn’t replace the UK GDPR, Data Protection Act 2018, or PECR (the cookie and email marketing rules)². It just tweaks them.
Think of it like a software update rather than buying a new computer.
The Good News for Small Businesses
1. Scientific Research Got Easier If your business does any kind of research – market research, product development, customer surveys – the rules are now clearer⁴. You can get “broad consent” from people for research purposes, which means you don’t need to go back and ask permission every single time you want to use their data for a new study.
2. Automated Decision-Making Rules Relaxed Remember those strict rules about using algorithms to make decisions about people? They’ve been loosened up a bit⁴. If you use software to automatically approve loans, filter job applications, or recommend products, you’ve got more flexibility now (as long as you’re not processing sensitive data like health information).
3. Some Pre-Approved “Legitimate Interests” The Act introduces some activities that are automatically considered “legitimate interests” – mainly around security stuff like fraud prevention⁴. This could save you from having to do lengthy legitimate interest assessments for basic security measures.
4. Cookie Rules Get More Sensible Some cookies won’t need consent anymore – specifically ones used for basic website analytics or improving how your site looks on different devices¹⁰. You’ll still need to tell people about them and let them opt out, but no more consent pop-ups for basic functionality.
The Reality Check on Penalty Increases
Yes, PECR penalties (those rules about email marketing and cookies) are increasing from £500,000 to £17.5 million or 4% of turnover⁶,¹⁰. But let’s be honest about what this actually means:
What triggers these fines:
- Sending spam emails or texts without consent
- Making nuisance phone calls
- Using tracking cookies without proper consent
- Serious, systematic breaches of marketing rules
What this means in practice:
- The ICO already fines companies for these things – this just increases the maximum penalty
- You’re not suddenly at risk if you’re already following basic email marketing rules
- The ICO has always been more active on PECR enforcement than GDPR anyway
- These are maximum penalties for serious, repeated violations
The key point: If you’re getting proper consent for email marketing and your cookie banner actually works, you’re probably fine. The businesses that get PECR fines are usually the ones sending thousands of spam emails or making illegal cold calls.
When Do These Changes Actually Happen?
Here’s the crucial bit that’s missing from most coverage: The Act is law, but most changes haven’t taken effect yet.
The government is implementing changes in phases using secondary legislation⁴:
- Some changes: 2-6 months after Royal Assent (August-December 2025)
- Most changes: Within 12 months (by June 2026)
- Complex stuff: When secondary legislation is ready
The government hasn’t published exactly which changes happen when yet. The ICO is saying they’ll provide guidance as things come into effect⁶.
What this means: You don’t need to panic and change everything right now. But it’s worth understanding what’s coming so you can prepare.
What Should Your SME Actually Do Right Now?
Immediate Actions (Next 30 Days)
1. Review Your Email Marketing Setup (If You Do Email Marketing) Not because the rules have changed, but because the potential penalties are higher. Make sure you’re rock solid on:
- Getting proper consent before sending marketing emails
- Making unsubscribe easy and processing it quickly
- Keeping records of when and how people consented
2. Check Your Cookie Compliance Same reason – potential penalties are higher. Make sure your cookie banner actually works properly and you’re not loading non-essential cookies before getting consent.
3. Sign Up for ICO Updates The ICO will be publishing new guidance over the coming months⁶. Get on their mailing list so you know when important updates are published.
Medium-Term Planning (Next 6 Months)
1. Consider If You Want to Use the New Flexibilities When the detailed guidance comes out, look at whether the new research provisions or legitimate interests rules could make your life easier.
2. Review Your Data Protection Officer Situation The Act introduces new requirements around complaints handling that might affect whether you need a DPO.
3. Watch the EU Adequacy Decision The EU has extended the UK’s “adequacy decision” (which lets data flow freely from the EU to UK) until December 2025. If this gets withdrawn, it could complicate things if you have EU customers or suppliers.
Don’t Panic About
Brexit Divergence Fears Yes, some privacy campaigners are worried the UK is moving away from EU standards. But realistically, the changes are pretty minor. The government clearly wants to keep that adequacy decision.
Major Policy Overhauls This isn’t a fundamental rewrite of data protection law. Your existing privacy policies, data retention schedules, and compliance procedures are still valid.
Immediate Compliance Changes Most of the new rules aren’t in effect yet, and when they are, they’ll mostly give you more options rather than requiring you to do things differently.
The EU Adequacy Situation: Should You Care?
If you’re a purely domestic UK business, probably not much. But if you:
- Have customers in the EU
- Use suppliers or services based in the EU
- Transfer any personal data to/from the EU
Then you should keep an eye on this. The EU adequacy decisions were originally set to expire on 27 June 2025, but the European Commission proposed a six-month extension until 27 December 2025¹². This extension was specifically designed to give the Commission time to assess the UK’s new Data Use and Access Act once it became law¹³.
The European Data Protection Board (EDPB) has emphasised this is “a technical and time-limited extension” to allow the Commission to evaluate whether the UK’s updated data protection framework still meets EU standards¹⁴. If the assessment is positive, the Commission will propose to renew the UK adequacy decisions. If not, businesses may need additional safeguards for UK-EU data transfers.
Most experts think it’ll be fine, but it’s worth monitoring.
Real Talk: Is This Actually a Big Deal?
For most SMEs? No, not really.
The fundamentals of UK data protection law haven’t changed. You still need to:
- Have a lawful basis for processing personal data
- Be transparent about what you’re doing
- Keep data secure
- Respect people’s rights
- Only collect what you need
The new Act just gives you a few more options and clarifies some grey areas.
The main thing to watch: If you do email marketing or have a cookie-heavy website, make sure you’re getting this right. Not because the rules have changed, but because the potential consequences of getting it wrong are now much higher.
When to Get Professional Help
You should consider getting legal or compliance advice if:
- You do significant direct marketing (email, SMS, phone calls)
- You process large amounts of personal data
- You use automated decision-making systems
- You’re in a regulated industry (finance, healthcare, etc.)
- You transfer data internationally
- You’re developing AI or research-heavy products
For everyone else, keeping up with ICO guidance and maintaining your existing good practices should be sufficient.
A Realistic Timeline
Right now (June-August 2025):
- Nothing immediate needs to change
- Review your email marketing and cookie compliance to make sure it’s solid
- Sign up for ICO updates
End of 2025:
- Some provisions may come into effect
- ICO will publish more detailed guidance
- EU adequacy decision review will conclude
Mid-2026:
- Most changes should be in effect
- You’ll know exactly what’s required and have had time to prepare
The Bottom Line
The Data (Use and Access) Act 2025 is evolution, not revolution. Most of the headlines about “major data protection reform” are overblown.
Yes, maximum PECR penalties are increasing dramatically. But this affects businesses that are already breaking the rules, not those following basic good practices.
The Act mostly gives businesses more flexibility while maintaining privacy protections. For most SMEs, that’s exactly what it does – as long as you don’t get caught out by those higher penalties for marketing violations.
Focus on making sure your current compliance is solid, keep an eye on ICO guidance as it emerges, and don’t panic about needing to rebuild your entire data protection program.
The reality: If you’re already doing the basics right – getting consent for marketing emails, having a working cookie banner, keeping data secure – you’re probably in good shape. The new law is more likely to make things easier for you than harder.
This article is current as of June 2025. Implementation dates and guidance are still being finalized, so check the ICO website for the latest updates. When in doubt, get professional advice – but don’t assume you need to change everything just because there’s a new law.
Sources and Further Reading
Official Sources:
- Data (Use and Access) Act 2025 (Full Act): https://www.legislation.gov.uk/ukpga/2025/18/enacted
- UK Parliament – Data (Use and Access) Act 2025: https://bills.parliament.uk/bills/3825
- ICO – Data (Use and Access) Act 2025 Overview: https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/
- ICO – What the DUAA means for organisations: https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/the-data-use-and-access-act-2025-what-does-it-mean-for-organisations/
- ICO – Detailed summary of changes (for experts): https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/the-data-use-and-access-act-2025-duaa-summary-of-the-changes/
- ICO Press Release: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/06/uk-organisations-stand-to-benefit-from-new-data-protection-laws/
EU Adequacy Extension: 7. European Commission – Data protection adequacy decisions: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en 8. European Data Protection Board Opinion on UK Extension: https://www.edpb.europa.eu/news/news/2025/european-patent-organisation-and-extension-adequacy-decisions-uk-edpb-adopts_en
Expert Commentary: 9. Pinsent Masons – EU-UK data adequacy extension analysis: https://www.pinsentmasons.com/out-law/news/eu-uk-data-adequacy-extension 10. Taylor Wessing – ePrivacy reforms analysis: https://www.taylorwessing.com/en/global-data-hub/2024/the-uks-data-use-and-access-bill/eprivacy-reforms-in-the-uks-data-use-and-access-bill 11. A&L Goodbody – Key changes explained: https://www.algoodbody.com/insights-publications/the-data-use-and-access-act-2025-key-changes-explained 12. Hill Dickinson – Practical overview: https://www.hilldickinson.com/insights/articles/data-use-and-access-act-2025
