Data (Use and Access) Act 2025: Comprehensive SME Insight

The Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025, marks a significant update to the UK’s data protection landscape. Rather than replacing the UK GDPR, the Data Protection Act 2018, or PECR, it thoughtfully amends and extends them. The goal? To boost innovation and economic growth while keeping privacy safeguards firmly in place.

For SMEs, this presents both a compliance curveball and a golden opportunity. Think: less red tape in some areas (finally!) but stricter expectations in others - yes, including those eye-watering fines. What we’re already seeing across the SME space is that early engagement is paying off - whether that’s simplifying DSAR workflows or tightening up cookie policies ahead of enforcement peaks.

Implementation will be phased between June 2025 and June 2026. Some changes - like the revised DSAR framework - take effect sooner. Others, such as smart data schemes, will be introduced incrementally through secondary legislation and ICO guidance.

This staggered rollout offers a crucial window - not just to tick the compliance boxes, but to embed smarter data practices that support resilience and growth. And while the regulatory landscape is shifting, it doesn’t have to be overwhelming. With the right framing, this is less about reacting - and more about readiness with purpose.

Key Changes and What They Mean for Your SME

🧠Smart Data Schemes – Open Banking Grows Up

The Act lays the groundwork for sector-specific Smart Data Schemes - expanding the Open Banking concept into sectors like energy, telecoms, insurance, and more. These schemes aim to make real-time, secure data sharing more transparent and consistent across industries.

While the technical and legal details will land through secondary legislation, SMEs should begin assessing how their systems might integrate with these frameworks. We’ve seen early-mover SMEs already exploring collaborative use cases - from joint services to data-driven product development.

• Action: Mapping your data-sharing landscape now can uncover gaps, risks, or revenue opportunities you hadn’t clocked.

🔍DSARs Get a Makeover – Practicality at Last

DSARs (Data Subject Access Requests) just became more manageable. Organisations are now only expected to perform “reasonable and proportionate” searches. You can also pause the one-month clock when clarifying ambiguous requests or verifying identity.

We’re helping SMEs streamline their workflows to reflect this, cutting back on over-engineered search processes that drain time and resource.

• Action: Build in a triage step. Train your team to identify when it’s appropriate to pause. DSARs should feel structured, not stressful.

🤖Automated Decision-Making – Less Banned, More Balanced

The Act relaxes the previous restrictions on solely automated decisions - so long as special category data isn’t involved and appropriate safeguards are in place.

If you’re already using AI or automation (for example in recruitment screening, credit risk, or marketing), this opens up greater flexibility. That said, the onus is on you to build transparency, challenge mechanisms, and clear human review options.

• Action: Document your ADM logic and design meaningful human-in-the-loop processes - especially where decisions impact funding, eligibility, or employment.

🍪Cookies and PECR – Consent Lite, Fines Heavy

You’ll no longer need consent for some low-risk cookies, like basic analytics or preference customisation. However, PECR fines now match GDPR levels: up to £17.5 million or 4% of global turnover—whichever is higher.

The enforcement uplift is real. SMEs should act now to simplify their banners, clarify cookie categories, and review marketing practices from top to footer.

• Action: Don’t wait for a warning. Start with a cookie audit and marketing consent review - you’ll likely uncover a few low-hanging fixes.

🌍International Transfers - “Not Materially Lower” Is the New Test

Transfers to third countries now use a “not materially lower” standard of protection - intended to give organisations more flexibility than the old “essentially equivalent” test.

That said, it still requires rigorous scrutiny and documentation. SMEs dealing with overseas processors (or platforms hosted outside the UK) need to update their adequacy assessments accordingly.

• Action: Check your SCCs, IDTAs, or vendor platforms - especially those claiming adequacy but operating in murky jurisdictions.

⚖️Recognised Legitimate Interests – Simpler, But Not a Free Pass

A new list of pre-approved “recognised legitimate interests” (like fraud prevention, internal admin, and direct marketing) now exists. For these purposes, you may not need a full Legitimate Interest Assessment (LIA) - but you still must demonstrate necessity and proportionality.

We’ve found that documenting these “lightweight LIAs” upfront protects SMEs when challenged and speeds up procurement or audit reviews.

• Action: Update your lawful basis records and revisit your privacy notice language to reflect this streamlined approach.

🧑‍⚖️ ICO Rebrand – Meet the Information Commission

The Information Commissioner’s Office (ICO) will transition into a new statutory entity: the Information Commission. While it retains full enforcement powers, it also picks up a new statutory duty to promote innovation and economic growth.

This subtle shift suggests a regulator more open to SME realities - especially those driving innovation responsibly.

We’re cautiously optimistic - regulatory engagement may become less combative and more cooperative, if the groundwork is laid clearly.

📣Formal Complaints Process – Time to Step It Up

SMEs must now offer a clear, accessible, and user-friendly complaints process for personal data concerns. That includes online submission options and a firm 30-day response window.

And no, a buried inbox link with vague auto-replies won’t cut it. Treat complaints like micro-DSARs—with proper tracking, resolution steps, and an escalation path.

• Action: We’ve helped organisations build simple complaint handling templates that tick the compliance boxes and reinforce customer trust at the same time.

How Should SMEs Prepare?

Engaging proactively with the Data (Use and Access) Act 2025 isn’t just about risk mitigation - it’s a genuine chance to sharpen your operations, streamline your data handling, and build deeper trust with customers. Here are some actionable steps to consider:

1. Run a Full Data Audit: Before you can adapt, you need to understand your current terrain.

   • Mapping all personal data—what you collect, where it’s stored, how it’s processed, and who can access it.

   • Tracing data flows end to end, from capture to deletion.

   • Linking each use case to a lawful basis under UK GDPR.

   • Flagging where “recognised legitimate interests” might now offer a simplified route.

     
     

   🔍 We’ve seen quick wins just by visualising data journeys - especially in CRM systems and third-party tools where access often drifts.

   
   

2. Refresh Your Privacy Notices: Your privacy notice is your shopfront - it’s the first thing individuals see when deciding if they trust you.

   • Clearly explain DSAR handling, cookie use, AI decisions, and complaints processes.

   • Use plain English - ditch the jargon, keep the legal tone in the drawer.

   • Consider layered notices, with high-level summaries and click-throughs for detail.

   
   

3. Review Your Lawful Bases: With new flexibilities comes new responsibility.

   • Recheck processing activities tied to legitimate interest.

   • For recognised categories, document how you meet the criteria.

   • For everything else, ensure assessments are up to date and defensible.

   
   

   🗂️ Don’t just rely on old LIAs in a dusty folder - auditors (and clients) may expect cleaner documentation post‑Act.

   
   

4. Upgrade Your DSAR Handling: The new rules give you breathing room - but only if your internal process is tight.

   • Define clear workflows for intake, triage, search, and response.

   • Assign roles and responsibilities to avoid bottlenecks.

   • Train staff to use the new pausing powers wisely - not to delay, but to clarify.

   
   

5. Audit Your AI/ADM Systems: If you use algorithms to make decisions that affect people, now’s the time to get your governance in order.

   • Conduct DPIAs for high-risk or impactful use cases.

   • Document your logic - explainability isn’t optional.

   • Build in meaningful human review - not just a rubber stamp.

   
   

   🧠 AI compliance isn’t just for the big players - SMEs can stand out by showing they’ve thought this through.

   
   

6. Review Cookies & Marketing Strategy: With consent rules relaxing (slightly) and fines increasing (a lot), this one’s urgent.

   • Update banners to reflect low-risk cookie exemptions.

   • Double-check that you have valid consent or soft opt-in for emails.

   • Ensure opt-outs are honoured and preferences respected.

   • Keep records tidy and audit-ready.

   
   

7. Strengthen International Data Transfer Controls: International transfers are still under the microscope - even with the relaxed “not materially lower” standard.

   • Map your transfers outside the UK (including SaaS tools).

   • Confirm the mechanism used—SCCs, UK Addendum, IDTA, or adequacy.

   • Document your rationale - if challenged, you’ll need it.

   
   

   🌐 It’s not uncommon to find hidden transfers via marketing platforms or customer analytics tools—an audit brings them to light.

   
   

8. Build a Compliant Complaints Process: Transparency doesn’t stop at privacy notices. Make it easy for people to raise concerns.

   • Provide clear access points - online forms, dedicated emails, friendly copy.

   • Log and respond within 30 days.

   • Create an internal escalation path for complex cases.

   
   

9. Stay Ahead of the Curve

   • The Information Commission will be rolling out guidance and secondary legislation over the coming year. The SMEs we work with aren’t waiting for the final memo - they’re adapting now, based on what’s already clear.

   
   

   🎯 Monitor developments, revisit your compliance roadmap quarterly, and when in doubt - lean on expert input. It’s a fast-evolving landscape.

Final Thoughts: Compliance Meets Competitive Edge

By embedding these changes into your everyday operations, your SME can do more than simply meet expectations - you can signal trust, professionalism, and maturity to clients, partners, and regulators alike.

Compliance used to be a box-ticking exercise. Now? It’s a competitive edge - and the best-prepared SMEs are already using it to differentiate.