If you've seen headlines about changes to UK GDPR and data protection laws recently, and you're not really sure what you need to do (if anything) then this blog should help.

The Data (Use and Access) Act 2025 (DUAA) introduces some of the biggest changes to the UK's data protection framework since GDPR was first introduced.

The good news?

For many small business owners, the changes are designed to make certain aspects of data protection easier and more practical.

The not-so-good news?

There is at least one important action that most UK business owners should take now to ensure their Privacy Notice remains up to date, but there is a deadline this month and a lot of small businesses aren't ready.

Whilst some parts of the legislation came into effect last year, the remainder comes into force on Friday 19th June 2026, and there are steps all business owners need to take before then to be complint.

First Things First: GDPR Isn't Going Anywhere

Let me take a step back first to explain that whilst there is new data legislation, the GDPR remains in place.

Despite the changes introduced by the DUAA, the GDPR has not disappeared.

The UK GDPR remains the foundation of data protection law in the UK.

You still need to:

• Handle personal data lawfully

• Tell people how you use their information

• Keep personal data secure

• Respect individuals' rights

• Have a compliant Privacy Notice

If you collect names, email addresses, phone numbers, customer information, mailing list sign-ups or client details, GDPR still applies to your business.

And yes, that includes many businesses that primarily work B2B.

What Is the Data (Use and Access) Act?

The DUAA updates the UK's data protection framework and introduces several changes designed to:

• Reduce unnecessary administrative burdens

• Support innovation and technology

• Modernise data use practices

• Clarify certain areas of the law

While some of the reforms are aimed at larger organisations, charities, research bodies and public authorities, there are several changes that online business owners should be aware of.

1. Changes to Cookie Rules

One of the most talked-about changes relates to cookies.

The Act creates additional circumstances where certain cookies may be used without obtaining consent first.

In particular, exemptions may apply where cookies are used:

• For website analytics

• To improve services

• For security purposes

• To detect fraud

• To remember user preferences

At first glance, this sounds like great news.

Many people assumed this would mean the end of cookie banners altogether.

In reality, the position is more nuanced.

If your website uses cookies for multiple purposes, particularly marketing or advertising activities, consent requirements may still apply.

For that reason, many businesses may decide that maintaining their existing cookie consent process remains the safest and simplest approach.

2. Greater Recognition of Legitimate Interests

The DUAA introduces a new category of recognised legitimate interests.

In certain situations, organisations may now be able to process data without carrying out the balancing exercise that was previously required.

Examples include:

• Crime prevention

• Safeguarding vulnerable individuals

• Certain disclosures to public authorities

For most small business owners, this is unlikely to create a major operational change.

However, businesses operating in regulated sectors or working with vulnerable individuals may wish to review whether these new provisions are relevant.

3. More Flexibility Around Automated Processing

As technology and AI become increasingly embedded in business operations, the law is adapting too.

The DUAA introduces greater flexibility around automated decision-making and data processing.

This is particularly relevant as businesses increasingly use:

• AI tools

• Automation software

• Customer management systems

• Marketing platforms

Whilst this doesn't remove your obligations under GDPR, it reflects the reality that technology is now a core part of running a modern business.

4. Subject Access Requests Must Be Reasonable and Proportionate

The Act introduces clarification around subject access requests.

Organisations are now permitted to carry out reasonable and proportionate searches when responding to requests.

This aims to reduce the burden of excessive or disproportionate requests while still protecting individuals' rights.

5. Stronger Protections for Children

The DUAA introduces enhanced safeguards for children using online services.

If your business markets directly to children or provides services aimed at younger users, you should take particular care to understand these requirements.

The Biggest Change for Most Small Business Owners: The New Right to Complain

This is the change that is likely to affect the widest range of UK businesses.

Under the new legislation, individuals now have a specific right to complain about how their personal data is being handled.

As a business owner acting as a data controller, you must:

• Provide a way for individuals to raise data protection complaints

• Acknowledge complaints within 30 days

• Explain how complaints will be handled

• Deal with complaints before they are escalated to the ICO

Importantly, this is not the same as your normal customer complaints process.

This relates specifically to complaints about data protection and privacy rights.

As a result, many businesses will need to update their Privacy Notice to explain:

• How a complaint can be made

• Where complaints should be sent

• How the complaint process works

• What timescales apply

So... Do You Need to Update Your Privacy Notice?

For most UK business owners, the answer is yes.

Even if many of the wider reforms do not directly affect your business, the introduction of the new complaints process means your Privacy Notice should be reviewed and updated.

This is likely to be the most practical action point arising from the DUAA for online businesses, coaches, consultants, service providers and digital product businesses.

Your Next Step

If your Privacy Notice hasn't been updated recently, now would be a good time to review it, whilst you add the complaint's procedure.

You're going to see lots of businesses sending emails notifying you that they are updating the Privacy Notice, you will need to do that too. 

To support you with this, we've added two training videos to our Privacy Notice Template to walk you through the legal changes and also guide you through the process of putting together your complaints procedure. 

We've also updated the Privacy Notice template to cover the DUAA changes. We've added a complaint's procedure framework with a response email templates so that you can "plug and play" into your business, rather than spending hours researching and writing your own.

As a thank you for reading this update we're giving you the chance to get £20 using code:

PRIVACYBLOG

Summary

 The DUAA requires that you now have a complaints procedure within your privacy policy. There are legal timeframes you must adhere too, we've mapped them out in our complaints template which has been added to the Privacy Notice Template. 

We're also giving you the opportunity to receive £20 off our Privacy Notice Template when you purchase before midnight on 19th June 2026.

The template includes:

✔ Updated Privacy Notice wording

✔ Guidance notes

✔ Plain English explanations

✔ Easy plug-and-play format

✔ Support for UK online business owners

Because staying compliant shouldn't require hours of legal research.

Use code "PRIVACYBLOG" at checkout and update your Privacy Notice today.