What the UK’s Data (Use and Access) Act 2025 Means for SMEs

This comprehensive guide breaks down the key provisions affecting SMEs, from relaxed cookie requirements to expanded legitimate interests provisions. We'll provide you with clear explanations and practical checklists to ensure your business remains compliant whilst benefiting from the new flexibilities.

The Act introduces three major areas of change that directly impact how SMEs handle data: simplified cookie and electronic communications rules, expanded legitimate interests grounds, and updated Data Protection Impact Assessment (DPIA) requirements. Each presents both opportunities and obligations that require careful navigation.

Understanding the Cookie and PECR Relaxations

The Privacy and Electronic Communications Regulations (PECR) have undergone substantial revision under the new Act, offering SMEs greater flexibility in how they approach digital marketing and website functionality.

What's Changed with Cookie Consent

Previously, businesses required explicit consent for most cookies beyond those strictly necessary for website functionality. The new Act introduces a more nuanced approach that recognises the practical realities of modern digital business operations.

The legislation now permits "functional cookies" without explicit consent, provided they enhance user experience without collecting identifiable personal data. This includes cookies for language preferences, shopping cart functionality, and basic analytics that don't track users across multiple sites.

Marketing cookies still require consent, but the Act provides clearer guidance on when implied consent may be acceptable. For SMEs with limited resources to implement complex consent management systems, this offers welcome relief whilst maintaining user privacy protections.

Direct Marketing Under the New Rules

The Act expands the circumstances under which SMEs can engage in direct marketing without prior consent. Existing customer relationships now provide broader grounds for marketing communications, particularly for similar products or services.

B2B communications benefit from relaxed rules, with corporate email addresses receiving different treatment from personal addresses. SMEs can now contact businesses more freely, provided they offer clear opt-out mechanisms and respect any expressed preferences.

SME Cookie Compliance Checklist

Immediate Actions Required:

• Review your current cookie policy and update it to reflect the new categories
• Audit existing cookies to determine which fall under the expanded permissions
• Update privacy notices to explain how you use functional cookies
• Ensure marketing cookies still have appropriate consent mechanisms
• Review direct marketing practices for existing customers

Ongoing Compliance Measures:

• Monitor customer opt-out requests and implement them promptly
• Regularly review cookie usage as your website evolves
• Train staff on the distinction between different cookie categories
• Document your legal basis for each type of data processing

Expanded Legitimate Interests Provisions

The Act significantly broadens the scope of legitimate interests as a legal basis for processing personal data, providing SMEs with more flexibility in their operations whilst maintaining appropriate safeguards.

What Legitimate Interests Now Covers

Under the expanded provisions, SMEs can rely on legitimate interests for a wider range of business activities. These include fraud prevention, network security, direct marketing to existing customers, and internal administrative purposes.

The Act provides specific guidance for SMEs, recognising that smaller businesses often lack the resources for complex consent management systems. This pragmatic approach allows for more streamlined operations whilst ensuring appropriate protections remain in place.

Customer analytics for business improvement purposes now falls more clearly within legitimate interests, provided the processing is proportionate and doesn't involve sensitive data. This enables SMEs to better understand their customer base and improve their services.

Conducting Legitimate Interests Assessments

Whilst the grounds for legitimate interests have expanded, the requirement for proper assessment remains. SMEs must still demonstrate that their legitimate interests override the individual's privacy rights and that less intrusive means aren't available.

The assessment process involves three key steps: identifying your legitimate interest, demonstrating necessity, and conducting a balancing test. For SMEs, this need not be an overly complex process, but it must be documented and proportionate to the processing activity.

The Act provides safe harbours for common SME activities, including customer relationship management, basic marketing analytics, and operational communications. These activities benefit from presumed legitimacy, provided they're conducted transparently and proportionately.

Legitimate Interests Implementation Checklist

Assessment Requirements:

• Document your legitimate interests for each processing activity
• Conduct proportionate balancing tests considering individual privacy rights
• Ensure processing is necessary and proportionate to your stated interests
• Provide clear privacy notices explaining your reliance on legitimate interests
• Establish procedures for handling objections to processing

Operational Considerations:

• Review existing consent mechanisms that may no longer be necessary
• Update privacy policies to reflect legitimate interests processing
• Train staff on when legitimate interests can and cannot be relied upon
• Implement systems to manage individual objections effectively

Updated DPIA Requirements for SMEs

Data Protection Impact Assessments undergo significant modification under the Act, with particular consideration given to the resource constraints and operational realities of SMEs.

When SMEs Need DPIAs

The new Act raises the threshold for mandatory DPIAs, recognising that many SME activities pose minimal privacy risks. High-risk processing still requires assessment, but the definition becomes more precise and practical.

Systematic monitoring of public areas, large-scale processing of sensitive data, and automated decision-making with significant effects remain subject to DPIA requirements. However, routine business operations like customer databases, standard marketing activities, and employee records typically fall below the threshold.

The Act introduces a proportionality principle specifically for SMEs, allowing for simplified assessments where processing risks are minimal. This pragmatic approach reduces administrative burden whilst maintaining appropriate protections for high-risk activities.

Simplified DPIA Process for SMEs

Where DPIAs are required, the Act provides a streamlined process tailored to SME capabilities. The assessment need not involve external consultants or complex technical analysis, provided it addresses the key risk factors proportionately.

The simplified process focuses on practical considerations: what data you're collecting, why you need it, how you'll protect it, and what could go wrong. This approach enables SMEs to conduct meaningful assessments without disproportionate resource investment.

Templates and guidance specifically designed for SMEs accompany the legislation, providing practical frameworks for common business scenarios. These resources significantly reduce the complexity and cost of compliance for smaller businesses.

DPIA Compliance Checklist for SMEs

Initial Assessment:

• Determine whether your processing activities require a DPIA
• Use the SME-specific criteria to assess risk levels
• Document your assessment reasoning for regulatory purposes
• Consider cumulative effects of multiple processing activities

DPIA Completion Where Required:

• Use SME-appropriate templates and guidance
• Focus on practical risks and mitigation measures
• Involve relevant staff members in the assessment process
• Review and update assessments when processing changes significantly
• Consider consulting with the ICO for complex scenarios

Implementation Timeline and Practical Steps

The Act provides a twelve-month transition period for most provisions, with some elements taking effect immediately. SMEs should prioritise changes based on their current practices and risk exposure.

Immediate priorities include reviewing cookie policies, updating privacy notices, and conducting legitimate interests assessments for existing processing activities. These foundational changes enable SMEs to take advantage of the new flexibilities whilst maintaining compliance.

The transition period allows for gradual implementation of more complex changes, such as updating customer relationship management systems and revising marketing strategies. This phased approach recognises the practical challenges SMEs face in implementing wholesale changes.

Moving Forward with Confidence

The Data (Use and Access) Act 2025 represents a significant opportunity for SMEs to streamline their data protection practices whilst maintaining high standards of customer privacy. The key lies in understanding the new provisions and implementing them thoughtfully and proportionately.

Success requires a balanced approach that takes advantage of new flexibilities whilst respecting the underlying privacy principles. SMEs that invest time in understanding these changes will find themselves better positioned to compete effectively whilst maintaining customer trust.

We recommend beginning with a comprehensive review of your current data protection practices, identifying areas where the new Act provides opportunities for simplification or enhancement. Professional guidance can help ensure you maximise benefits whilst avoiding compliance pitfalls.

Your business deserves to thrive in this new regulatory environment. By taking a proactive approach to these changes, you position yourself not just for compliance, but for competitive advantage in an increasingly data-driven marketplace.