 Act is now UK law. Discover what the key changes to UK GDPR mean for your small business.){kind=link}
LONDON, 19 June 2025 – After a complex legislative journey, the Data (Use and Access) Bill received Royal Assent today, officially becoming the Data (Use and Access) Act 2025. This new legislation marks the most significant evolution of the UK’s data protection framework since Brexit, introducing reforms aimed at reducing burdens for businesses while seeking to foster innovation through better use of data.
For the small business owners, freelancers, and marketers that form the backbone of the UK economy, the Act’s arrival brings both change and a degree of certainty. The government has heralded the reforms as a move to a more “common-sense” and “risk-based” approach to data protection. However, the new law also introduces fresh obligations and significantly increases penalties for non-compliance with marketing rules, meaning that understanding the changes is not just advisable, but essential.
This new chapter for UK GDPR is intended to streamline processes that were perceived as cumbersome for smaller enterprises. The Act amends the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, but does not replace their core principles. The primary goal has been to tailor the rules for the UK’s specific economic landscape, a move closely watched by the European Commission as it considers the future of the UK’s data adequacy status, which is crucial for the free flow of data from the EU.
Key Changes Under the Data (Use and Access) Act
The Data (Use and Access) Act introduces several pivotal amendments. While some measures offer flexibility, others demand immediate attention. Here are the most critical changes for small and medium-sized enterprises (SMEs).
A New Approach to Legitimate Interests
One of the most practical changes is the introduction of activities that can be considered a legitimate interest for processing data. Under the previous rules, if you wanted to process personal data without consent, you had to rely on the lawful basis of ‘legitimate interests’. This required a documented three-part assessment (a Legitimate Interests Assessment or LIA) to balance your interests against the rights of the individual.
The new Act clarifies in the main legislative text that activities such as direct marketing, intra-group administrative data transfers, and ensuring network security may be considered legitimate interests. While you must still ensure your processing is fair and balanced, this change provides greater legal certainty and should reduce the administrative load for these routine business functions.
The End of the Mandatory Data Protection Officer?
The Act replaces the requirement for many organisations to appoint a formal Data Protection Officer (DPO) with a more flexible mandate to designate a ‘Senior Responsible Individual’ (SRI). This individual must be part of the organisation’s senior management, embedding accountability at a higher level.
For many small businesses that were not required to appoint a DPO anyway (as their processing was not large-scale or high-risk), this change may have little direct impact. However, all organisations processing personal data must still have someone overseeing their data protection compliance. The key takeaway is the shift in emphasis: from a designated expert to senior-level ownership of data risk.
Streamlining Data Subject Access Requests (DSARs)
Responding to DSARs—requests from individuals for copies of their personal data—can be a significant drain on resources. The Act introduces a new framework allowing organisations to refuse to respond to requests that are “vexatious or excessive.”
This replaces the previous “manifestly unfounded or excessive” threshold. The Act clarifies that a request may be deemed vexatious if it is intended to cause distress, is not made in good faith, or is an abuse of process. This provides a firmer legal footing for businesses to push back against disproportionately burdensome requests.
Changes to Cookie Consent and Marketing Fines
The rules on cookies have been a persistent headache for website operators. The new Act aims to reduce ‘banner fatigue’ by expanding the categories of cookies that do not require user consent.
Now, consent will not be needed for cookies used for statistical purposes to improve a service, for gathering information to make improvements, or for installing necessary security updates. Users must still be given clear information about these cookies and the ability to opt out.
Crucially, the Act also dramatically increases the penalties for breaches of the Privacy and Electronic Communications Regulations (PECR), which govern cookies and electronic marketing. Fines will now be aligned with UK GDPR, rising from a previous maximum of £500,000 to up to £17.5 million or 4% of global turnover.
Myth vs. Fact: Debunking Misconceptions about the New Act
Myth: UK GDPR is being replaced entirely. Fact: The Data (Use and Access) Act amends UK GDPR and the Data Protection Act 2018; it does not replace them. The core principles, data subject rights, and accountability obligations remain firmly in place. This is an evolution, not a revolution.
Myth: I no longer need to worry about data protection. Fact: The opposite is true. While some administrative burdens have been eased, the Act introduces much tougher penalties for non-compliance with marketing rules. The regulator, the ICO (soon to be reformed into the Information Commission), will have enhanced enforcement powers.
Myth: I can now use any personal data for marketing purposes without an assessment. Fact: While the Act provides more clarity on using legitimate interests for direct marketing, it is not a free pass. You must still ensure your marketing is fair, transparent, and lawful. Individuals retain their absolute right to object to direct marketing; you must make it easy for them to do so.
What Should Your Business Do Now? A Practical Checklist
The provisions of the Data (Use and Access) Act will come into force in stages. However, businesses should act now to prepare.
- Review Your Lawful Bases: Examine your current data processing activities, particularly those that rely on legitimate interests. See how the Act’s clarification can simplify your documentation.
- Update Your Privacy Notice: Your privacy policy must be updated to reflect the changes, especially regarding DSARs and cookie usage. Ensure it is written in plain, accessible language.
- Re-evaluate Your Cookie Banner: Assess the cookies on your website. Can you now operate a less intrusive consent banner based on the new exemptions? Remember to maintain transparency and provide an opt-out.
- Review Your DSAR Procedure: Update your internal process for handling DSARs to reflect the new “vexatious or excessive” threshold. Ensure your staff are trained on these new rules.
- Assess Your Marketing Compliance: Given the dramatic increase in potential fines under PECR, conduct an audit of your email and electronic marketing practices. Ensure you have the right permissions and that your opt-out mechanisms are robust.
- Identify Your Senior Responsible Individual: Even if you do not need a SRI, it is best practice to assign senior-level responsibility for data protection within your business.
The new Data (Use and Access) Act is a significant milestone. It seeks to create a data protection regime that is more agile and less bureaucratic for small businesses. By understanding the changes and taking proactive steps now, you can ensure you not only comply with the law but also continue to build trust with your customers in an increasingly data-driven world.