Athlex
Contact
Athlex

Month: November 2025

The Top ICO Enforcement Trends SMEs Must Act On in 2025

5 minutes read
And How to Get Ahead
Flat illustration showing a gavel, security shield, key icon and connected vendor nodes around a central business, in Athlex brand colours, representing ICO enforcement trends and GDPR risk for SMEs

The UK’s data-protection landscape is evolving fast, and SMEs are now directly exposed to enforcement action once largely associated with public bodies or large multinationals. As the BDO enforcement trends analysis reviewing ICO enforcement trends 2025,  highlights, the ICO is increasingly focused on fundamental compliance failures rather than technical edge cases, meaning SMEs face the same expectations as larger organisations.

To help UK SMEs stay ahead, this guide breaks down the three most prominent ICO enforcement themes in 2025 and explains how each relates directly to the core duties under UK GDPR.

ICO Enforcement Trend 1: DSAR Delays & Right-of-Access Failures

The ICO continues to treat DSAR delays as one of the most serious indicators of poor governance. This theme appears repeatedly in enforcement notices and aligns closely with the BDO analysis.

A recent example is the enforcement notice issued to South Wales Police, requiring the organisation to clear a backlog of more than 350 overdue SARs by mid-2026.

Although policing bodies sit in a unique context, the principle is identical for SMEs:
a delayed, incomplete, or mismanaged DSAR is a governance failure, not an administrative error.

Why SMEs are vulnerable

  • DSAR processes are often informal or undocumented
  • Staff rely on untracked shared inboxes that hamper compliance
  • Manual redaction takes longer than expected and slows response times
  • Identity verification checks are inconsistent or incomplete
  • No clear owner is assigned to coordinate DSAR responses

Consequently, SMEs often fail “by accident”, simply because processes were never clearly built.

What SMEs should do

  • Implement a formal DSAR register
  • Use standardised verification templates
  • Assign responsibility for triage and drafting
  • Create a redaction decision record
  • Test your DSAR workflow every six months

See how Athlex Data Protection can help you with your UK GDPR compliance.

To strengthen your position, Athlex Data Protection includes DSAR review as part of its Free UK GDPR Compliance Audit.

ICO Enforcement Trend 2: System Errors & Data-Accuracy Failures

While many SMEs assume breaches are caused by sophisticated threat actors, the ICO’s recent fines show that basic security failings, particularly around access control and system configuration, remain the driving force behind most incidents. This is why BDO identifies weak security controls as a recurring enforcement theme.

A clear example of this is the £3.07 million fine issued to Advanced Computer Software Group (“Advanced”), a major processor used across the UK health and education sectors.

What happened

A ransomware attack exploited several preventable vulnerabilities, including:

  • inadequate access controls,
  • outdated software components,
  • unpatched critical systems, and
  • insufficient segregation of sensitive data.

Because Advanced was acting as a data processor, the incident demonstrated that processors are not insulated from ICO enforcement. Importantly, the ICO highlighted that robust Article 32 security measures apply equally to processors and controllers — a point many SMEs overlook when relying on third-party suppliers.

Why this matters for SMEs

Many SMEs rely on external IT providers, SaaS dashboards, or outsourced infrastructure. Consequently, they often inherit a false sense of security. Yet, as the Advanced case shows:

  • unpatched systems,
  • misconfigured access rights, and
  • weak administrator controls can create breach pathways that affect both the processorand its clients.

Furthermore, the ICO’s commentary stresses that technical misconfiguration is increasingly treated as a governance failure, not an unavoidable risk. In other words, SMEs are expected to demonstrate continuous security management – not reactive fixes after an incident.

What SMEs should do now

To reduce exposure to similar enforcement action:

  • Conduct regular patch-management reviews and document them.
  • Enforce multi-factor authentication onevery administrative and remote-access account.
  • Validate that third-party systems use secure configuration baselines.
  • Request evidence: recent pen-test summaries, MFA logs, and architecture diagrams showing data segregation.

ICO Enforcement Trend 3: Supply-Chain & Vendor Risk Is Now the Biggest Exposure

BDO notes that third-party suppliers are involved in a significant proportion of enforcement cases. This is evident across recent ICO actions.

A major example is the £14 million fine issued to Capita following a cyber incident that exposed the data of over 6 million people.

The ICO criticised:

  • slow isolation of the breach,
  • insufficient monitoring,
  • weak patching practices, and
  • inadequate oversight of third-party systems.

Similarly, the Upper Tribunal’s Clearview ruling confirmed that even overseas vendors fall under UK GDPR if they monitor UK residents.

Why SMEs must pay attention

SMEs are more dependent than ever on external providers – IT contractors, payroll services, marketing platforms, CRMs, SaaS tools, cloud storage, etc. Consequently, the regulator expects SMEs to:

  • verify supplier security
  • assess processors before onboarding
  • maintain a vendor register
  • require evidence of compliance
  • include audit rights and termination clauses

In other words, your compliance is only as strong as your weakest vendor.

What SMEs should do

  • Inventory all suppliers with data access
  • Request evidence: certifications, test summaries, logs
  • Ensure processor contracts meet Article 28 requirements
  • Assess vendors annually (high-risk: quarterly)

The Athlex Data Protection free audit highlights exactly where your vendor chain poses compliance risk.

ICO Enforcement Trend 4: Governance, Documentation & Accountability Are Under the Microscope

BDO’s report highlights that the ICO is increasingly examining how decisions are made, not just whether breaches occur. Good governance – leadership awareness, documented decisions, risk logs, and internal reporting structures — is now a major enforcement factor.

This aligns with the ICO’s call for views on new enforcement-procedural guidance, signalling more transparent and structured regulatory processes.

This means SMEs are expected to show:

  • clear data-protection ownership
  • leadership engagement
  • meaningful internal reporting
  • documented risk assessments and decisions
  • evidence of proactive compliance

How SMEs Can Stay Ahead – Starting Today

To prepare for these enforcement trends, SMEs should immediately focus on:
✔ DSAR workflows
✔ Data-accuracy controls
✔ Vendor oversight
✔ Incident readiness
✔ Governance documentation

And the simplest way to begin?

Use Athlex Data Protection’s Free UK GDPR Compliance Audit tool.

To read more about the biggest UK GDPR risks for SMEs, see our blog: Inside Out: Why Insider Risk Is the Biggest UK GDPR Blind Spot for SMEs.

 It covers DSARs, access controls, vendor risk, system accuracy, governance, and incident readiness –  all mapped into a clear action plan.

Understanding the Data (Use & Access) Act 2025: What UK Businesses Need to Know

5 minutes read
A business professional in a blue jumper reviews data protection documents at a desk with a closed laptop and coffee, representing DUAA 2025 compliance.

Why Was the DUAA Introduced?

The DUAA aims to modernise the UK’s data protection regime, ensuring that individuals have better control over their personal data while enabling organisations to innovate responsibly. It responds to new technologies, data‑driven business models and concerns about transparency. The Act builds on the UK GDPR framework rather than replacing it, so businesses must view it as complementary rather than separate.

Key Changes under the DUAA

1. Increased Fines for Electronic Marketing

The DUAA raises the maximum penalties for breaches of PECR. Companies can now face fines of up to £17.5 million or 4% of their global turnover, whichever is higher. This brings electronic marketing fines in line with those under the UK GDPR. Any business that sends marketing emails, texts or calls should review consent processes and records to ensure compliance.

2. New Rules Around Cookie Consent

The Act introduces stricter requirements for cookie consent under UK GDPR. Companies must ensure that cookie banners are clear and separate from other requests. Pre-ticked boxes and implied consent are not acceptable. People must have a genuine choice and be able to withdraw consent just as easily as they give it. Businesses should audit their cookie practices, update consent tools and keep records of consent.

3. Stronger Powers for the ICO

The Information Commissioner’s Office gains broader authority to compel businesses to provide information, reports and interviews as part of investigations. Failure to cooperate may lead to enforcement action. Businesses should keep thorough records of processing activities and be prepared to demonstrate compliance quickly if asked.

4. Expansion of Subject Access Rights

The DUAA reinforces the right to access personal data, requiring more detailed explanations of how data is used and shared. Organisations must be transparent about data sources and how decisions are made using personal data. This ties in closely with DSARs, making it even more important to have a robust process for responding to data requests.

5. Automated Decision‑Making Controls

The Act introduces new restrictions on automated decision‑making that significantly affects individuals. Businesses must provide human oversight, explain the logic behind decisions and allow individuals to contest them. Sectors using AI and machine learning—such as finance, insurance and recruitment—must ensure their systems meet these requirements.

Practical Steps to Comply

1. Audit Your Marketing Activities

Review how you collect and store consent for marketing communications. Ensure you can demonstrate a lawful basis for all electronic marketing. Update marketing databases to remove contacts without valid consent. For B2B marketing, confirm that you are complying with relevant exemptions and that messaging remains within legal boundaries.

2. Update Cookie Policies and Banners

Conduct a cookie audit to understand what tracking technologies your site uses and why. Update your cookie notice to clearly describe categories, purposes and retention periods. Implement a consent management platform if necessary, ensuring that individuals can easily change their preferences.

3. Strengthen Record‑Keeping

Maintain up‑to‑date records of processing activities, including data flows, legal bases, retention periods and third‑party sharing. If the ICO requests evidence of compliance, having organised records demonstrates accountability and saves time. Regularly review and update your records to reflect changes in processing.

4. Review Automated Decision‑Making Processes

Identify any processes that use algorithms or profiles to make decisions that could significantly affect individuals. Assess the legal basis for using automated decisions and whether human oversight is provided. Update privacy notices to explain these processes and develop procedures to address challenges from individuals.

5. Train Staff

Your employees are the first line of defence against non‑compliance. Provide training on the DUAA, focusing on marketing, cookie consent, data subject rights and automated decision‑making. Raise awareness of increased fines and the importance of cooperation with the ICO.

Impact on SMEs

Some SMEs might assume that new legislation primarily targets large corporations. However, the DUAA applies to any organisation processing personal data, regardless of size. Smaller businesses often have limited resources, making it harder to adapt. Yet the cost of non‑compliance—financial penalties and reputational damage—can be far greater than the cost of putting proper systems in place. SMEs should seek professional advice to interpret the Act and prioritise actions based on the data they handle.

How Athlex Supports Your Compliance

Staying on top of evolving data protection laws can be challenging. Athlex specialises in GDPR and privacy compliance for businesses of all sizes. Our consultants can help you conduct a DUAA readiness assessment, update policies and procedures, and train your staff. We provide practical, jargon‑free advice tailored to your industry, ensuring that you understand your obligations and can implement changes effectively. Whether you need a one‑off consultation or ongoing support through our outsourced DPO service, we make compliance manageable.

Looking Ahead

The DUAA is part of a broader trend toward stronger data governance. Businesses should expect further updates as technology evolves and public expectations of privacy grow. By understanding the DUAA and integrating it into your existing compliance framework, you prepare your business for future changes. Adopting a proactive approach—regular audits, employee training and transparent data practices—will position you as a trustworthy organisation in a competitive market.

Conclusion

The Data (Use & Access) Act 2025 introduces significant changes that businesses cannot ignore. Higher fines for marketing violations, tougher cookie rules, expanded subject rights and increased regulatory powers raise the stakes for data protection. By taking practical steps—auditing marketing activities, updating cookie banners, strengthening record‑keeping, reviewing automated decision processes and training staff—you can meet your obligations and build customer confidence. With professional guidance from Athlex, your business can turn compliance into a competitive advantage and navigate the evolving data protection landscape with confidence.

Sign up to our newsletter to receive updates directly to your inbox. You can also read more about DUUA updates to complaints processes in our blog.

Handling Data Subject Access Requests (DSARs): A Comprehensive Guide for SMEs

6 minutes read
Top-down view of a laptop and file folder with a magnifying glass, styled in Athlex brand colours, suggesting a data subject access request.

Managing personal data responsibly is a legal requirement. Under the UK GDPR, anyone can request a copy of the personal data you hold about them and details of how you use it. This is called a data subject access request (DSAR). For SMEs, responding within the one-month deadline may feel challenging, but it is achievable. This guide explains your DSAR obligations, how to verify identity and gather data, and why prompt, compliant responses build trust.
 REASON: The revised introduction introduces keywords like one-month deadline, DSAR obligations and verify identity. It provides clearer context and encourages readers by outlining benefits.

What Is a DSAR?

A DSAR is a request made by a person to obtain a copy of their personal data held by an organisation. It may also ask for details on how the data is processed, who it is shared with, the source of the data and how long it will be retained. Under the UK GDPR, organisations typically have one month to respond. In certain situations, you can extend this by two months, but you must inform the requester within the initial month and explain why. Failing to meet the deadline can lead to complaints and potential regulatory action, so timely responses are essential.

Who Can Make a DSAR?

Anyone can make a DSAR – customers, employees, suppliers or any individual whose data you process. The request doesn’t need to mention “DSAR” or cite the GDPR; it can be informal, verbal or written. Even a message on social media can count. Your responsibility is to recognise the request and handle it appropriately. Businesses should train staff to identify DSARs and direct them to the right person or team.

How to Respond to a DSAR

1. Verify Identity

Before disclosing personal data, verify the requester’s identity to prevent data breaches. If you’re not sure the person is who they say they are, ask for additional information such as a copy of an ID or details only the individual would know. Make sure your verification process is reasonable and proportionate; you shouldn’t request excessive or irrelevant documents.

2. Acknowledge Receipt

Send a prompt acknowledgement confirming you’ve received the request. Outline what you will do next, mention the one-month deadline and ask any clarifying questions if the request is vague. This sets expectations and demonstrates professionalism.

3. Gather Information

Identify all systems, databases and physical files where the requester’s personal data may be stored. This includes emails, customer relationship management (CRM) systems, cloud storage, paper records and any third-party processors you use. You must inform processors of the DSAR and ensure they supply relevant data.

4. Filter Data

Review the collected data and remove any information that is not personal data about the requester or that falls under exemptions. For example, data that identifies another individual may need to be redacted, or you may withhold information that’s legally privileged. Consult the UK GDPR and relevant guidance to determine what can be excluded.

5. Compile a Response

Prepare the data in an accessible format. Explain why you hold the data, the lawful basis for processing, how long you will retain it and who else it has been shared with. If the requester asked specific questions, address them. Provide the data securely—use encrypted email or secure download links – and clearly state how they can contact you for follow-up questions.

6. Keep Records

Document each DSAR you receive, including the date, actions taken, communications and final response. Good record-keeping helps demonstrate compliance if the Information Commissioner’s Office (ICO) investigates.

Why Efficient DSAR Handling Matters

Properly managing DSARs is not just about legal compliance; it’s a chance to build trust. Responding promptly and clearly shows that you respect individual rights. It also helps you maintain accurate records, which can improve overall data governance. Moreover, DSARs can highlight gaps in your data protection processes, prompting improvements. Finally, efficient DSAR handling minimises the risk of fines and reputational damage from mishandled requests.

Tips for Streamlining DSAR Processes

  • Train Staff: Make sure employees understand what a DSAR is and whom to contact if they receive one.
  • Develop a Standard Procedure: Create a step-by-step guide for handling requests, including templates for acknowledgements and responses.
  • Use Data Mapping: Maintain an up-to-date record of where personal data is stored to save time when collecting information.
  • Automate Where Possible: Consider using data discovery tools or DSAR management software to help identify and compile data.
  • Plan for Complex Requests: Some requests may be broad or require input from multiple departments. Having a plan in place reduces delays.

Common Mistakes to Avoid

  • Missing the Deadline: Start the process as soon as you receive a request. Even if you don’t have all the data yet, communicate progress and explain any delays.
  • Overlooking Data Held by Third Parties: Remember that data processors are part of your supply chain. You remain responsible for data held on your behalf.
  • Sharing More Data Than Necessary: Only provide data relating to the individual. Avoid disclosing information about other people or proprietary business information.
  • Charging a Fee: DSARs are usually free. You can only charge a reasonable fee in certain circumstances, such as repeated requests or excessive volumes of data.
  • Ignoring Informal Requests: A DSAR doesn’t have to mention the GDPR. Recognise any request for personal data as potentially valid and treat it accordingly.

How Athlex Can Help

Handling DSARs can be time-consuming and complex, especially for SMEs with limited resources. Athlex provides tailored support to ensure your DSAR responses are compliant and efficient. Our consultants can help you set up a procedure, train staff, and even manage requests on your behalf. From verifying identity to drafting clear responses, we offer the peace of mind that comes with expert guidance. Working with our outsourced Data Protection Officers (DPOs) means you can focus on your core business, knowing that data subject rights are respected.

Conclusion

A well-handled DSAR is a sign of a mature data protection practice. By following a clear process verifying identity, gathering and filtering data, and responding within the legal timeframe you can comply with your obligations and build trust with your customers and employees. Investing in good DSAR management now will pay dividends in the long run, reducing risk and strengthening your organisation’s data governance.

Read our blog http://athlex.co.uk/when-enforcement-isnt-enough-what-bristols-transparency-failures-teach-us-about-foi-dsars-and-accountability/ to find out what might happen if you get DSARs wrong.