The Data Use and Access Act 2025 (DUAA) is a significant update to the UK’s data protection landscape. Building on the foundations of the UK GDPR and Data Protection Act 2018, the DUAA aims to strike a better balance between protecting people’s data and helping organisations, especially small and medium-sized enterprises (SMEs), use data in smarter, more efficient ways.
For SMEs, this isn’t just about ticking compliance boxes. The DUAA opens the door to new opportunities for innovation, collaboration, and simpler data handling. Below, we break down what it means in practice and how your business can prepare.
DUAA: Understanding the New Legal Landscape
One of the headline changes in the Data Use and Access Act is the introduction of ‘recognised legitimate interests.’ In the past, if you wanted to rely on legitimate interests as a legal basis for processing personal data, you had to carry out a full assessment to show the benefits outweighed the risks. Now, if your purpose falls into certain predefined categories, like detecting fraud, ensuring network security, or protecting children, you can skip that assessment.
This is good news for SMEs. It means less time tied up in paperwork and more clarity about when you can use personal data. But you’ll still need to be clear about how you’re using it, and your privacy notice must reflect these purposes accurately.
Making International Data Transfers Simpler
If your business shares personal data with companies outside the UK, for example, cloud services hosted overseas, the rules have changed slightly. The standard you now have to meet is whether the data protections in the receiving country are ‘not materially lower’ than the UK’s.
This is slightly more flexible than the old EU-style test of ‘essential equivalence’. While the UK still maintains its adequacy status with the EU for now, SMEs working internationally should take this as an opportunity to review data transfer arrangements and contracts. Make sure you understand where your data is going, and keep records of the measures you use to protect it.
What Smart Data Means for Your Sector
A particularly exciting part of the DUAA is its support for ‘smart data’ initiatives. These schemes are designed to help individuals and businesses access and share their data more easily between services, much like Open Banking has done for financial data.
This could mean that, in the near future, you’ll be able to offer customers the ability to share their data with third parties seamlessly. This would create smoother user experiences and more personalised services. Sectors like energy, telecoms, and legal services are already being explored.
If your business handles consumer data or could benefit from easier access to trusted datasets, now is a good time to explore how smart data might fit into your growth plans.
Greater Flexibility for Research and Innovation
If your SME conducts any form of research, whether that’s testing new products, analysing trends, or conducting scientific studies, the DUAA brings welcome changes. It broadens what counts as ‘scientific research’ and makes it easier to process personal data under broad consent.
The Act also relaxes rules around re-contacting people when you reuse data for compatible purposes, especially where doing so would be disproportionate. This means less administrative burden and more room to innovate, while still maintaining ethical standards and transparency.
Cookies and Digital Marketing: What’s Changing
Under the new rules, cookies that are used for analytics and improving website performance are now considered ‘low risk’ and won’t always require user consent. This should make running your website a bit smoother, especially if you use tools like Google Analytics.
However, consent is still required for marketing cookies and anything that tracks users across websites. The maximum fines for breaking these rules have also increased to match those under UK GDPR – up to £17.5 million or 4% of global turnover.
SMEs should take this as a signal to double-check their cookie policies. Make sure your cookie banners are clear, offer real choice, and allow users to opt out easily. If you’re unsure whether a cookie is considered ‘low risk’, it’s worth seeking advice or checking ICO guidance as it evolves.
A More Reasonable Approach to Data Subject Requests
Handling Data Subject Access Requests (DSARs) can be time-consuming, especially for small teams. The DUAA introduces a more flexible test, organisations now only have to make ‘reasonable and proportionate’ efforts to respond.
This doesn’t mean ignoring requests, but it does allow you to scale your response based on the effort involved and the likely outcome. If searching thousands of archived emails for one piece of information would be disproportionate, you may now be justified in narrowing the search.
Still, it’s important to document what efforts you made and why. Having a standard process in place will help show that you’re complying in good faith.
A Stronger Information Commission and What It Means for You
The ICO is getting a rebrand and stronger powers under the DUAA. It will become the ‘Information Commission’, with a more corporate-style governance model and expanded authority to enforce data rules, particularly around cookies, data sharing, and access rights.
This means that scrutiny is increasing, but so is support. The ICO has committed to producing more tailored guidance for SMEs and focusing on helping businesses get compliance right from the start.
SMEs should see this as an opportunity. By keeping on top of your responsibilities and being proactive in how you manage data, you’ll be better positioned to avoid problems and build customer trust.
Putting It All into Practice: A Simple Strategy for SMEs
With the DUAA now law, SMEs should take time over the coming months to review their current data protection practices. This doesn’t need to be a major project, but a few focused updates can go a long way.
Start by refreshing your privacy policies, especially if you rely on legitimate interests, use analytics cookies, or process data for research. Make sure your team is trained on any updated procedures, particularly around DSARs and cookies. If you work with international suppliers or cloud services, check your data transfer mechanisms.
Most importantly, take this as a chance to strengthen your data governance. Not just for compliance, but as a foundation for growth. The Data Use and Access Act 2025 is designed to make it easier to use data responsibly and effectively. The more confident you are in your practices, the more confidently you can build customer relationships and explore new services.
Stay Ahead, Stay Agile
The DUAA’s changes will be rolled out gradually, with full implementation expected by mid-2026. Further ICO guidance, sector-specific regulations, and updates will continue to emerge throughout this period.
To stay informed, keep an eye on the ICO website, subscribe to legal or compliance newsletters, and consider attending webinars and workshops from professional bodies. The more proactive you are now, the smoother the transition will be.
In Summary
The Data Use and Access Act 2025 gives SMEs a fresh chance to simplify how they manage data, cutting back on red tape while still protecting people’s rights. With clear planning and a practical approach, your organisation can turn these legal changes into a competitive advantage.
Farringford Legal’s data protection team can help you audit your data protection processes and policies to ensure you are compliant with the new DUAA regulations.
Farringford Legal is your growth partner, providing affordable, expert legal services across England & Wales with a client-centric, entrepreneurial approach. We are not just lawyers; we are allies in your business journey, adapting as your business evolves, deeply trustworthy, always responsive.
www.farringfordlegal.co.uk | info@farringfordlegal.co.uk