Well, third time lucky. New data protection legislation has (finally) been given royal assent. You might have seen headlines this week about the Data (Access and Use) Act 2025 (DUAA). I say third time lucky; this is the third time a data protection bill has been put forward, but the only one that has made it to legislation. It’s being called the biggest data protection update since GDPR—but before you panic, take a breath. This new law is more evolution than revolution.
The DUAA is not an overhaul. It is tweaking GDPR and DPA. Think of it as a refresh of UK GDPR that aims to make data protection more straightforward, more business-friendly, and supportive of innovation, all while keeping people’s rights front and centre. Most of the changes are designed to give you more flexibility, rather than introducing new, unfamiliar obligations.
So, what does this mean for your business? Let’s break it down.
What is the Data (Use and Access) Act?
The Data (Access and Use) Act 2025 was passed to amend (not replace) key pieces of data law in the UK:
- The UK GDPR
- The Data Protection Act 2018
- And the Privacy and Electronic Communications Regulations (PECR)
The goal? To support innovation and growth, particularly for businesses using data in creative or technology-driven ways, while still safeguarding personal information and individual rights.
The changes will be phased in between June 2025 and June 2026, giving everyone time to adjust.
What’s Changing?
Here are some of the key updates that may affect small businesses like yours:
1. Simplified lawful bases for processing
A new category—“recognised legitimate interests”—has been introduced. This means that for certain activities (like safeguarding national security or preventing crime), you no longer have to go through a balancing test to justify your use of personal data.
While this won’t affect most day-to-day SME operations, it signals a shift toward making data protection less burdensome.
2. Clarity around scientific research and reuse
If you conduct research or support organisations that do, there’s now clearer guidance on using personal data—including the ability to reuse data without fresh privacy notices (as long as safeguards are in place). This also supports businesses that use AI or develop digital tools that rely on data insights.
3. Cookie consent relaxed
You can now use cookies for analytics and certain functional purposes without explicit consent, so long as they don’t infringe on users’ rights. This could make your website smoother and less reliant on constant pop-ups.
What this means for you: You’ll still need a cookie policy, but you might be able to reduce the number of consent requests, making your site feel more user-friendly.
4. More flexibility with direct marketing
It’s now clearer that direct marketing can be considered a legitimate interest—something many of us assumed, but it’s helpful to have this confirmed in law. For charities, there’s even a new “soft opt-in” right for electronic marketing if someone has shown interest in their cause.
5. Changes to Subject Access Requests (SARs)
The DUAA introduces a more proportionate approach to SARs. You only need to conduct reasonable and proportionate searches, which helps reduce the admin burden, particularly for small teams.
6. Children’s data responsibilities
If you run an online service likely to be accessed by children, there is now an explicit legal duty to consider their needs. If you’re already aligned with the Age Appropriate Design Code, you’re on the right track—but it’s a good moment to double-check.
7. Stronger complaint-handling expectations
You’ll be expected to:
- Offer an accessible way for people to raise concerns (think: a contact form or email address)
- Acknowledge complaints within 30 days
- Respond without undue delay
This aligns with good customer service anyway, but now it’s a compliance requirement.
What’s Not Changing?
Notably, the UK GDPR remains in effect.
If you’ve already taken steps to get your policies, privacy notice, and practices in shape, you’re not starting from scratch. The DUAA adds clarity and flexibility, but the foundations of data protection (transparency, fairness, purpose limitation, security, rights) are still intact.
What Do Small Businesses Need to Do Now?
Here’s a practical checklist for small businesses getting ready for the DUAA:
✅ 1. Familiarise yourself with the key changes
Understanding what’s changing gives you the confidence to act without feeling overwhelmed. Start by reading the ICO’s DUAA guidance or using this blog as your reference point.
✅ 2. Review your privacy notice
Now is a great time to review your privacy notice to ensure it is clear, accessible, and comprehensive, covering all the ways you process data, including analytics cookies, marketing, and complaint handling.
✅ 3. Check your cookie use
Are you using cookies for website stats or performance improvements? You may now be able to rely on the new exemption, saving you (and your website visitors) some extra clicks.
✅ 4. Assess your complaint-handling process
Make it easy for individuals to raise concerns. Consider a simple form on your website or a clear email contact. Ensure your team is aware of the 30-day response requirement.
✅ 5. Double-check any services used by children
If your products or services are likely to be accessed by children—even unintentionally—you’ll need to consider this explicitly. Review the Age Appropriate Design Code if this applies to you.
✅ 6. Stay informed
The ICO is updating its guidance gradually between now and 2026. Sign up for their newsletter or follow trusted advisers (like me!) to stay ahead without being overwhelmed.
A Word of Reassurance
I know what it feels like when new legislation lands—it can seem like yet another thing to add to the never-ending small business to-do list. But this law isn’t here to trip you up.
The Data (Use and Access) Act 2025 aims to make things simpler, not scarier.
If you already have your data protection basics in place—clear policies, secure systems, a lawful basis for marketing—you’re in a strong position. Use this moment as a chance to refresh rather than rebuild.
Need a Hand?
If you’d rather not wade through guidance documents or wonder what counts as “reasonable effort,” you don’t have to do it alone.
I help small businesses simplify data protection with real-world advice, done-for-you documents, and affordable training.
📩 Book a free call to see how we can help you understand what DUAA means for your business—and how to stay compliant, confident and focused on what you do best.
Michelle Molyneux Business Consulting Ltd
Making data protection doable for growing service-based businesses.
Friendly. Expert. Non-jargon. Always on your side.