Understanding the UK Data Use and Access Act 2025: What SMEs need to know

Written by Oluwasegun Victor Alade from Privalex Advisory

The UK’s Data (Use and Access) Act 2025 (DUAA) brings significant changes to the country’s data protection laws.

While the Act still builds on the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR), it introduces updates aimed at simplifying compliance for businesses and encouraging innovation, all while maintaining strong privacy standards.

The Act received Royal Assent on 19 June 2025 and will be phased in over the next year.

Here’s an overview of the key changes you should be aware of as an SME owner.

1 The introduction of ‘Recognised Legitimate Interests’

One of the headline changes in the Act is the introduction of a new lawful basis for processing personal data called “Recognised Legitimate Interests.”

This means that certain types of data processing that serve the public interest, such as national security, crime prevention, emergency responses, or safeguarding vulnerable individuals, are now automatically considered legitimate.

What does this mean for your business? If you’re processing data for these recognised public purposes, you no longer need to conduct a balancing test to weigh the business benefits against individuals' rights.

This should make compliance easier for businesses involved in public services, security, or emergency response.

However, for other purposes, businesses will still need to carry out a Legitimate Interests Assessment (LIA) to ensure they don’t harm individuals’ rights.

This includes common uses like direct marketing (where PECR rules on consent for emails/SMS still apply).

2 More flexibility with purpose limitation (compatible purposes)

Under previous data protection rules, you could only use personal data for the specific purpose for which it was originally collected.

The DUAA changes this slightly by introducing a list of “automatically compatible purposes.” This list includes areas like crime prevention, emergencies, safeguarding vulnerable individuals, legal obligations (such as tax collection), and scientific or historical research.

For SMEs, this means that if you are processing data for any of these recognised purposes, you don’t need to do a separate compatibility assessment or seek additional consent.

You can reuse existing data without the need for extra checks.

3 Streamlined Subject Access Request (SAR) rules

The DUAA also simplifies the rules around Subject Access Requests (SARs), where individuals request to see what personal data an organisation holds about them.

Now, businesses are only required to conduct “reasonable and proportionate” searches.

This means you must make a genuine effort to locate the requested data, but you don’t have to spend excessive time or resources searching through every possible system.

For example, you don’t need to search the entire company email archive if it's unlikely the requested data is there.

The law recognises that it’s not always practical to search every single database.

The timeframe to respond to a SAR remains one month, but there’s now a “stop-the-clock” rule.

If you need more information from the requester or to verify their identity, the clock pauses until you receive the necessary details.

4 Changes to international transfers

For businesses transferring data outside the UK, the DUAA changes the rules on international data transfers.

Under the previous law, the recipient country had to have privacy laws “essentially equivalent” to the UK’s.

Now, a country can be deemed “adequate” if its data protection standards are “not materially lower” than those of the UK.

This provides more flexibility for businesses that work internationally, but also introduces some uncertainty, as what is considered “materially lower” can be subjective.

If your business relies on international data transfers, you’ll need to monitor any future guidance from the regulator.

5 Greater flexibility for automated decisions

The Act brings changes to how automated decisions (like those made by AI) are handled.

Under the previous rules, automated decisions with legal or significant effects (such as denying credit or employment) required human involvement.

Now, businesses can fully automate decisions for minor matters (e.g., routine customer service tasks) without needing to involve a human.

However, for more significant decisions, individuals must be informed that the decision was automated and have the right to challenge it, request human involvement, and express their point of view.

If sensitive data (like health information) is involved in automated decision-making, stricter conditions apply, such as needing explicit consent or a legal obligation.

This opens up more opportunities for businesses to use AI but also requires clearer processes to identify and manage significant automated decisions.

6 New internal complaint mechanism requirement

The DUAA introduces a new requirement for businesses to have an internal mechanism to handle complaints about data protection.

If an individual raises an issue about how you’re processing their personal data, you must now have a formal process to acknowledge and resolve their complaint within 30 days.

This helps resolve issues early and builds trust with your customers and employees.

While many businesses already have customer complaint systems in place, the Act sets out clear expectations.

Businesses that handle complaints well can avoid escalation to the Information Commissioner’s Office (ICO), saving time and resources.

7 Updates to cookies and direct marketing rules

The Act brings changes to the rules on cookies and direct marketing, which should be particularly relevant to businesses operating online.

Cookies: Certain cookies, such as those used for website analytics, improving functionality, or security, no longer require explicit consent from users.

Instead, users must be informed and given an option to opt out. This change aims to reduce “cookie banner fatigue” while ensuring user choice.

Direct marketing: The “soft opt-in” rule, which previously applied only to commercial organisations, is now extended to charities and non-profits.

This means charities can send marketing or fundraising emails to people who have recently engaged with them (e.g., donated or shown interest), as long as they give users the opportunity to opt out.

However, it’s important to note that PECR fines for breaches are significantly increased.

The maximum penalty is now up to £17.5 million or 4 per cent of global turnover (whichever is higher), aligning with GDPR-level fines. Businesses need to ensure they comply with these rules to avoid hefty penalties.

Conclusion: What does this mean for SMEs?

The Data (Use and Access) Act 2025 introduces several changes that will make it easier for SMEs to process data while still ensuring high privacy standards.

The Act’s updates, such as recognised legitimate interests, clearer SAR rules, and more flexibility around automated decisions, will reduce some of the administrative burden on businesses.

However, the increased fines for non-compliance (especially under PECR) mean that businesses need to be vigilant.

By implementing clear internal processes for handling data protection, staying updated on international transfer rules, and adhering to new consent and complaint mechanisms, SMEs can continue to comply with the law while making use of the efficiencies the DUAA offers.

For businesses, keeping an eye on evolving regulations and ensuring your data processing activities are well-documented will be essential for making the most of the opportunities presented by these changes.

Do you need help with your data protection compliance? Click here to book free consultation with experts.