The Data (Use and Access) Act 2025: What Small Businesses and Charities Actually Need to Know

A new data protection law landed in the UK in June 2025, and if you’ve been half-watching the coverage, you could be forgiven for thinking it means you need to tear up your existing GDPR policies and start again.

You don’t.

The Data (Use and Access) Act 2025, which is usually shortened to the DUAA, because apparently the full name wasn’t unwieldy enough, makes some genuine changes to the UK’s data protection rules. But the honest summary for most small businesses and charities is that the foundations haven’t moved, a few things have been clarified, some rules have been relaxed slightly, and there’s one new obligation worth being aware of.

This article covers what’s actually changed, what the timeline looks like, and what, if anything, you need to do.

The Data (Use and Access) Act doesn’t replace the UK GDPR or the Data Protection Act 2018. It amends them. Think of it as a significant software update rather than a completely new operating system. The rules you’ve been following since 2018 still apply. The Act tweaks them in certain areas, clarifies grey zones that have caused confusion, and introduces a small number of new obligations.

The Act received Royal Assent on 19 June 2025, but its changes have been rolled out in phases rather than all at once. The main data-protection and privacy provisions, which are the changes most likely to affect your business, came into force on 5 February 2026. A further set of provisions, including the new complaints handling requirement, is specifically due to take effect on 19 June 2026.

So if you read something in mid-2025 saying “nothing has changed yet,” that was accurate at the time. The substantive changes have now landed.

The six core data protection principles are unchanged. You still need a lawful basis for processing personal data. You still need a privacy notice. You still have to respond to subject access requests within one month. The 72-hour breach notification requirement to the ICO remains. Your obligation to keep data secure, accurate, and only for as long as you need it, all unchanged.

If your existing GDPR compliance was solid, the DUAA doesn’t break it. Your foundations are fine.

A subject access request, or SAR, is when someone formally asks to see the personal data you hold about them. You have one month to respond. The one-month deadline is unchanged, but the 5 February 2026 changes introduced two clarifications that are genuinely useful in practice.

First, the Act now confirms in statute that you only need to carry out a “reasonable and proportionate” search for personal data when responding. If someone asks for everything you hold on them, you don’t need to manually trawl through seven years of archived emails unless that’s actually proportionate to the request and the scale of your organisation. This was already the practical guidance from the ICO, but it’s now written into law rather than just being regulatory expectation.

Second, the “stop the clock” rule is now codified. If you need more information from the person making the request, whether that is to verify their identity, or to understand exactly what they’re asking for, you can pause the one-month countdown while you wait for that clarification. Again, common practice under ICO guidance previously; now it has a clear statutory basis.

The underlying rules for marketing emails have not changed, but the potential cost of getting them wrong has increased significantly.

Under PECR — the Privacy and Electronic Communications Regulations, which govern emails and text messages — sending marketing messages to individuals requires either their prior consent or reliance on the “soft opt-in.” The soft opt-in applies where someone is an existing customer, you’re marketing your own similar products or services, and they were given a clear opportunity to opt out when their details were collected, and haven’t done so since. That’s the full condition and all three parts need to be met.

What doesn’t work is relying on a “legitimate interests” assessment under UK GDPR as a substitute for PECR consent. Those are two separate frameworks operating in parallel, and a legitimate interests justification under one does not satisfy the requirement under the other. If your marketing consent basis is unclear, this is the most pressing thing in the DUAA to get right as the maximum fines for PECR violations have been substantially raised. They have now been brought in line with the larger penalties already available under UK GDPR.

Cookies are the small files that websites place on a visitor’s device to track things like preferences, sessions, and site usage. Under the existing rules, most non-essential cookies require the visitor’s prior consent, which is all those banner pop-ups that have become a fixture of internet life since 2018.

The DUAA introduces some narrow exemptions to this consent requirement. Certain low-risk, non-essential cookies, specifically those used purely for basic website analytics that don’t track users across other sites, and those that remember visual or functional preferences, no longer require upfront consent. Instead, you need to provide clear information and a straightforward opt-out.

This doesn’t give blanket permission to remove cookie banners. Marketing and advertising cookies still require consent. But if your site uses basic analytics to understand how visitors use your pages, the rules have eased slightly.

This is the one new obligation worth putting in your diary with a specific date. From 19 June 2026, organisations will be required to have a formal process for handling data protection complaints from individuals, including an accessible electronic complaints form and an obligation to acknowledge complaints within 30 days.

For most small businesses, this doesn’t mean building complex systems. It means having a simple, accessible way for someone to raise a concern about how you’ve handled their data, and having a basic process for acknowledging and responding to it. Many businesses will have something close to this already. The key is making it formal, documented, and findable. This includes updating your privacy notice to explain how complaints can be made.

You have until 19 June 2026 to have this in place. Not urgent, but worth noting now rather than discovering in May.

One change that’s particularly relevant for charities relates to marketing emails. The Act extends the soft opt-in rule. It previously only allowed commercial businesses to email existing customers about similar products or services without explicit consent, this has been expanded to charities as well. When this provision comes into force, charities will be able to use the soft opt-in for fundraising and engagement emails to people who have already engaged with the organisation in a relevant way.

This could be a meaningful practical change for charity communications teams. The ICO will publish specific guidance on how this applies before the relevant date, worth keeping an eye on.

This one applies to any organisation, charity or commercial business, that runs a public-facing online service that children are likely to use. The DUAA now explicitly requires those services to take account of what the Act calls “children’s higher protection matters”: specifically, that children may be less aware of the risks associated with sharing their personal data, and that they deserve a higher level of care as a result.

If you run a website or digital service that could reasonably attract users under 18, whether that be a youth organisation, an educational charity, a mental health service accessible to young people, or any consumer-facing platform, this is worth reviewing. The ICO’s Age Appropriate Design Code (also known as the Children’s Code) has covered similar ground since 2021, so if you’ve already worked through that, you’re likely in reasonable shape. If you haven’t, and children could be using your service, this is now a statutory requirement rather than just guidance.

The changes fall into three specific dates:

19 June 2025: The Act received Royal Assent and became law. The main substantive data-protection provisions were not yet in force.

5 February 2026: The main Part 5 data-protection and privacy changes came into force. This includes the SAR clarifications, the cookie exemptions, the updated marketing fines, the children’s online services requirement, and the other changes covered in this article.

19 June 2026: The new formal complaints handling requirement takes effect on this specific date — exactly one year after Royal Assent. This is also when the soft opt-in extension for charities is expected to come into force. Watch for ICO guidance in the run-up.

For most small businesses and charities, the action list is short.

Review your marketing email consent practices. This is the most urgent item. Are you sending marketing emails only to people who have clearly consented, or who fall within a proper soft opt-in relationship, meaning they’re an existing customer, you’re marketing similar services, and they had a genuine opportunity to opt out? If the answer is uncertain, sort it before anything else. The penalties for getting this wrong are now considerably higher.

Check your cookie setup if you have a website. If you’re using a basic analytics package that doesn’t track users across other sites, you may now have slightly more flexibility. If you’re using advertising or marketing cookies, nothing has changed — consent is still required. If you’re not sure what your cookies are doing, most website platforms have a cookie audit function, or your web developer can check.

Update your SAR process notes to reflect the “reasonable and proportionate” standard and the stop-the-clock clarification. Both are minor adjustments for most businesses, but they’re worth noting so that whoever handles a SAR in future has the current picture.

If your service is used by children, review how you handle their data and check your approach against the ICO’s Children’s Code. The DUAA has made this a statutory requirement rather than guidance.

Prepare for the 19 June 2026 complaints deadline. Decide who would handle a formal data protection complaint, create a simple electronic form for submitting one, and note the 30-day acknowledgement obligation. Then update your privacy notice to tell people how to use it.

That’s it. If you’ve been following the GDPR basics since 2018, you’re in reasonable shape. This is genuinely evolution rather than revolution.

The DUAA is part of the UK’s post-Brexit approach to shaping its own data protection rules, diverging slightly from the EU’s framework in ways designed to make compliance simpler and give businesses more flexibility, while maintaining enough compatibility that data can continue to flow between the UK and EU without additional barriers.

On that last point: the European Commission formally renewed its UK adequacy decisions on 19 December 2025. Those decisions, which confirm that UK data protection standards are sufficient to allow data to flow freely between the EU and UK, are now in place until 27 December 2031. For any business dealing with customers, suppliers, or partners in the EU, this removes the uncertainty that had existed while the renewal was pending.

For small businesses and charities, the practical takeaway is straightforward: keep following the UK GDPR fundamentals, make the small adjustments above, prepare for the 19 June 2026 complaints requirement, and check ico.org.uk for updated guidance as the ICO publishes it. The ICO has committed to updating its guidance as each set of changes takes effect.

The people who have the most work to do are those who weren’t properly compliant before this. If your consent processes were loose, your cookie setup was never quite sorted, or your marketing list was built without clear permission, the DUAA is a timely nudge to sort that out, partly because the potential cost of getting it wrong has increased.

For everyone else: business as usual, with a few helpful clarifications.

• ICO DUAA overview
• GOV.UK DUAA data protection changes
• ICO Children’s Code
• GDPR in Plain English
• AI Tools Are Already in Your Business