Key Points

• Every UK business that handles personal data, including customer records, employee files, and marketing lists, must comply with the UK GDPR and the Data Protection Act 2018, regardless of size. There is no small-business exemption.
• The Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025, amends the UK GDPR in several areas that directly affect SMEs, including the introduction of recognised legitimate interests and changes to automated decision-making rules.
• Article 6 of the UK GDPR requires businesses to identify a lawful basis for every processing activity before it starts. Choosing the wrong basis, or failing to document the choice, can itself constitute a breach.
• The DUAA aligns PECR fines with UK GDPR levels, meaning penalties of up to the greater of £17.5 million or 4% of global annual turnover now apply to unlawful direct marketing.
• Practical compliance for most small businesses starts with a data mapping exercise, an up-to-date privacy notice, and documented procedures for handling subject access requests.

UK data protection law applies to every business that handles personal data. There is no minimum headcount threshold and no revenue floor. If your company holds customer details, processes employee payroll data, or sends a marketing email to a mailing list, you are processing personal data and the UK GDPR applies to you.

Most small business owners know this in the abstract. Fewer are confident that their actual practices, privacy notices, data storage arrangements, and procedures for handling subject access requests are fully compliant. The arrival of the Data (Use and Access) Act 2025 has updated several of the rules, making this a reasonable moment to check.

The ICO’s approach to small businesses has generally been proportionate. Enforcement against smaller organisations has tended to result in improvement notices and reprimands rather than maximum fines, particularly when the organisation cooperates. That proportionality is not a reason to be complacent: a data breach affecting customers or staff can cause reputational damage that far exceeds any financial penalty.

The Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025. It amends the UK GDPR and the Data Protection Act 2018 across several areas. 43Legal has published a detailed overview of the DUAA’s objectives and structure; this article focuses on the changes most likely to affect day-to-day compliance for SMEs.

The most immediately useful change for many small businesses is the introduction of recognised legitimate interests. Previously, if a business wanted to rely on legitimate interests as the lawful basis for processing personal data under Article 6(1)(f) of the UK GDPR, it had to conduct a full legitimate interests assessment to demonstrate that its interests outweighed the rights and freedoms of data subjects. The DUAA creates a category of predefined purposes, including fraud detection, network security, and protecting children’s safety, for which an assessment is not required. For businesses that process data primarily for these purposes, the administrative burden of compliance has been reduced.

The DUAA also updates the rules on automated decision-making. Article 22 of the UK GDPR previously restricted the use of solely automated decisions that produced legal or similarly significant effects. The DUAA reframes those restrictions: businesses may now use automated decision-making provided certain safeguards are in place, including informing the affected individual, allowing them to obtain human intervention, and allowing them to contest the decision. Businesses that use automated scoring, filtering, or profiling tools in their customer or HR processes should review whether these changes affect their existing arrangements.

For businesses dealing with children, the DUAA introduces an explicit obligation to take children’s needs into account when deciding how to use their personal data across all online services likely to be used by children. This formalises what had previously been guidance under the ICO’s Age Appropriate Design Code. From a compliance perspective, it raises the stakes for any business operating a consumer-facing website, app, or platform that has not considered whether children might be among its users.

The DUAA also aligns the penalty regime under the Privacy and Electronic Communications Regulations 2003 (PECR) with that under the UK GDPR. Unlawful direct marketing can now attract fines of up to the greater of £17.5 million or 4% of global annual turnover. This is a substantial uplift from the previous PECR maximum and brings direct marketing firmly within the same enforcement framework as data security breaches.

What Small Businesses Need to Do

Data protection compliance has a reputation for complexity that it does not entirely deserve. In my experience, for most small businesses, a structured approach to four areas covers the bulk of what the ICO expects.

• Map your data. Before you can comply, you need to know what personal data you hold, where it is stored, why you hold it, and who has access to it. A record of processing activities (RoPA) covering your main data flows is both legally required for organisations with 250 or more employees under Article 30 of the UK GDPR and recommended practice for smaller ones. Our legal risk and compliance audit service covers data mapping as part of a broader governance review.
• Identify a lawful basis for each processing activity. Article 6 of the UK GDPR sets out six lawful bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests. You must identify the correct basis before processing starts; you cannot choose one retrospectively after a complaint or breach. Consent is often misused as a catch-all: it is the correct basis only where individuals have a genuine free choice and can withdraw without detriment.
• Review and update your privacy notice. A privacy notice must tell people who you are, what data you hold about them, why you hold it, your lawful basis for processing, how long you keep it, and their rights under the UK GDPR. Generic language copied from another website will not reflect your actual practices and may mislead the people whose data you process.
• Have a process for handling subject access requests. Under the UK GDPR, individuals have the right to ask what personal data you hold about them, and you must respond within one calendar month. The DUAA adds a requirement to acknowledge data protection complaints within 30 days. Having a named person responsible for handling requests, and a documented procedure for what to do when one arrives, prevents the scramble that follows when a request lands without warning.

Two areas that frequently catch small businesses out are employee data and marketing lists. Employee records contain sensitive personal data and, in some cases, special category data under Article 9 of the UK GDPR, which attracts additional obligations. Marketing lists, particularly those purchased or compiled over many years, often contain data for which no valid lawful basis can now be identified. Both are worth reviewing as a priority.

The ICO’s Direction of Travel

The DUAA restructures the ICO as the Information Commission, giving it a more corporate governance model and expanded enforcement powers. The government’s published guidance on the data protection and privacy changes confirms that the ICO is committed to producing more tailored guidance for SMEs and focusing early engagement on helping businesses get compliance right from the start.

The ICO updated its guidance on data protection by design and by default in February 2026 to reflect the DUAA, including the addition of a children’s higher protection matters duty. Further guidance updates are expected as the ICO works through the full implications of the Act. Businesses should check the ICO website regularly, or ensure they have a way to stay informed of regulatory developments.

Frequently Asked Questions

Does UK GDPR apply if I only hold a handful of customer records?

Yes, the UK GDPR applies to any business that processes personal data, regardless of how much it holds. There is no minimum volume threshold. Even a sole trader who holds a spreadsheet of ten client email addresses is processing personal data and must have a lawful basis for doing so, an appropriate privacy notice, and a process for responding to subject access requests.

What is the difference between the UK GDPR and the Data Protection Act 2018?

The UK GDPR is the primary legislation governing the processing of personal data in the UK; it was retained from EU law after Brexit and subsequently amended by the Data Protection Act 2018 and by the Data (Use and Access) Act 2025. The Data Protection Act 2018 supplements the UK GDPR by filling gaps where Parliament can make specific choices, such as the rules on processing special category data in an employment context. The two instruments work together and cannot be read in isolation.

We send a monthly newsletter. Do we need consent from everyone on our list?

Not necessarily, but you need a valid lawful basis under both the UK GDPR and PECR. For business-to-business marketing to individual email addresses, the soft opt-in may apply if the recipients are existing customers and the email concerns similar products or services, provided a clear opt-out is included. For consumer marketing, explicit consent or a clearly applicable soft opt-in is required under PECR. Given that PECR fines have now been aligned with UK GDPR levels under the DUAA, a marketing list audit is worth conducting if you have not done one recently.

How long can we keep personal data?

The UK GDPR does not prescribe specific retention periods for most categories of data. Instead, the storage limitation principle in Article 5(1)(e) requires that personal data be retained no longer than necessary for the purposes for which it is processed. In practice, retention periods are driven by your business purposes, contractual obligations, and legal requirements. Employment records are typically retained for six years after employment ends; accounting records for six years under the Companies Act 2006. You should document your retention periods and review them periodically.

We received a subject access request from a former employee. What do we need to do?

You must respond within one calendar month of receiving a GDPR subject access request, providing the individual with a copy of all personal data you hold about them, together with supplementary information about how it is processed. The month can be extended by a further two months in complex cases, provided you inform the individual of the extension within the first month. You may redact information that would reveal the personal data of a third party who has not consented to disclosure. If you believe a request is manifestly unfounded or excessive, you may charge a reasonable fee or refuse to respond. Still, you must tell the individual why and inform them of their right to complain to the ICO.

As external risk management and legal specialists, we can assist you with data mapping, privacy notice reviews, data protection impact assessments, and ongoing data protection compliance. Our virtual in-house counsel service provides fixed-retainer access to specialist commercial law advice. We have previously published on the Data (Use and Access) Act 2025 and on how a legal risk and compliance audit works; both articles are available in our knowledge hub.

To find out more about any matters discussed in this article, please email us at  info@43legal.com or call 0121 249 2400. 

The content of this article is for general information only.  It is not, and should not be taken as, legal advice.  If you require any further information in relation to this article, please contact 43Legal. 

Melissa Danks is the founder of 43Legal. She has over 20 years’ experience as a solicitor working within the legal sector dealing with issues relating to risk management, dispute resolution, and advising in-house counsel in SMEs and large companies. Melissa has extensive expertise in providing practical, valuable, modern legal advice on large commercial projects, joint ventures, data protection and GDPR compliance, franchises, and commercial contracts. She has worked with stakeholders in multiple market sectors, including IT, legal, manufacturing, retail, hospitality, logistics and construction. When not providing legal advice and growing her law firm, Melissa spends her time running, walking in the countryside, reading and enjoying downtime with close friends and family.