Athlex
Contact
Athlex

Tag: Cookie consent

Cookie Compliance Under UK GDPR and DUAA 2025: What SMEs Need to Know

6 minutes read
Laptop showing a cookie consent banner with accept and reject options for UK cookie compliance

Cookies are a core part of modern web design. They keep your shopping cart items in place, remember your language preference and help websites understand how visitors use their pages. Yet cookies also raise significant privacy concerns. In the United Kingdom, the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR) govern how organisations can deploy cookies. The forthcoming Data (Use & Access) Act 2025 (DUAA) strengthens these rules, making cookie compliance even more important for small and medium-sized enterprises (SMEs). This guide explains the types of cookies, why consent matters and how to align your practices with the law.

What Are Cookies and Why Do They Matter?

A cookie is a small text file placed on your device when you visit a website. Cookies help sites function properly, remember your preferences and understand how visitors interact with the site. For businesses, cookies enable analytics, personalise content and support targeted advertising. However, they also collect personal information such as IP addresses, device identifiers and browsing behaviour. Because this data can sometimes identify a person, it is subject to data protection laws.

The UK GDPR recognises that cookies involve processing personal data. Under PECR, organisations must obtain consent before storing or accessing information on a user’s device, except where the cookie is strictly necessary for the service requested by the user. Non-essential cookies – including those used for analytics, functionality and marketing – require valid consent. With regulators imposing higher fines and the DUAA raising the bar for accountability, SMEs cannot ignore these obligations.

Categories of Cookies

Understanding the different types of cookies helps you determine which require consent and how to communicate their purpose. The main categories are:

  • Strictly Necessary Cookies: These are essential for the website to function, for example for security and load balancing. They do not require user consent but must still be explained in your cookie notice.
  • Performance or Analytics Cookies: These cookies collect data about how visitors use your site, such as which pages they visit and how long they stay. Tools like Google Analytics fall into this category. Because they are not essential, you need consent before placing them.
  • Functionality Cookies: These remember user preferences and settings, such as language or region. They enhance the user experience but are not strictly necessary, so consent is required.
  • Marketing or Advertising Cookies: These track users across websites to display relevant ads and measure campaign performance. They often involve third parties and require explicit consent.

Knowing which cookies you use and why you use them is the first step towards compliance.

Consent Requirements Under UK GDPR

Consent under the UK GDPR must be freely given, specific, informed and unambiguous. Pre-ticked boxes, implied consent or bundling consent with other terms are not allowed. Users must understand what they are agreeing to and should be able to withdraw consent as easily as they give it. Your cookie banner should clearly state the categories of cookies, allow users to accept or reject each type and link to a detailed cookie policy.

Your cookie notice should explain what cookies are, list the cookies used on your site and describe their purpose, expiry and whether they are set by you or a third party. Athlex’s cookie notice outlines plans to provide a full list of cookie names, purposes and expiry dates. It also reminds users that they can manage preferences via the cookie banner or browser settings. Providing this level of detail helps build trust and meets regulatory expectations.

New Rules Under the DUAA 2025

The Data (Use & Access) Act 2025 introduces stricter requirements for cookie consent. The Act clarifies that cookie banners must be clear and separate from other requests. It confirms that pre-ticked boxes and implicit consent are not acceptable and that users must have a genuine choice and be able to withdraw consent as easily as they give it. These rules reinforce existing UK GDPR principles but emphasise enforcement. SMEs should audit their cookie practices now to prepare for these changes.

Third-Party Cookies and Marketing

Many websites rely on third-party services for analytics, advertising or social media integration. Third-party cookies may be set by companies like Google, LinkedIn or Mailchimp. When you use these services, you remain responsible for informing users about the cookies and obtaining consent. You should list each third party in your cookie notice and link to their own privacy or cookie policies. The DUAA’s focus on electronic marketing rules means that organisations that send targeted ads must be especially careful to document and manage cookie consents.

How to Achieve Compliance

  1. Audit Your Cookies: Identify all cookies used on your site, their purposes and whether they are first- or third-party. Pay special attention to scripts and plugins that may add cookies without your knowledge.
  2. Update Your Cookie Policy: Ensure your cookie policy is comprehensive and up to date. Use clear language to describe each cookie category and its purpose. Provide information about how users can manage their preferences and withdraw consent.
  3. Implement a Consent Management Platform: Use a compliant cookie banner that allows users to accept or reject cookies by category. The banner should not obstruct access to strictly necessary services and should not disappear until the user makes a choice.
  4. Record Consent: Keep records of user consent, including time stamps and the version of your cookie policy in place at the time. This documentation is essential if regulators investigate your practices.
  5. Review Third-Party Services: Check that your third-party providers also comply with the UK GDPR and DUAA. You may need to update contracts to ensure they assist with consent management and honour users’ choices.
  6. Monitor Changes: Cookie laws evolve. Follow updates from the Information Commissioner’s Office and review your cookie practices regularly. The DUAA is being rolled out in stages, so more guidance is expected in the coming months.

Benefits of Compliance

Beyond avoiding fines, strong cookie compliance improves user trust. Transparent communication about how you use data shows that you respect privacy. It can also improve the quality of your analytics because users who knowingly opt in are more engaged. Finally, compliance helps future-proof your business as regulators around the world tighten privacy rules.

Conclusion

Cookies are powerful tools that enhance websites but must be used responsibly. For SMEs, the combination of UK GDPR, PECR and the upcoming DUAA 2025 means that cookie compliance is no longer just a technical issue – it is a strategic imperative. By auditing your cookies, updating your policies, obtaining valid consent and keeping clear records, you can meet regulatory requirements and build lasting customer trust. Now is the time to get your cookie house in order before the new rules take effect.

 

UK GDPR Compliance Checklist for Small Businesses (Without the Headache) | Athlex

8 minutes read
Clipboard checklist with a padlock shield and email icons representing GDPR compliance and data security

Running a business in the UK already comes with enough admin to make you question your life choices. Data protection should not be the thing that tips you over the edge.

If you collect personal data (and you probably do, even if it is “just” website enquiries, staff records, or customer emails), you need the basics in place. The good news: UK GDPR compliance is very doable when you focus on what actually matters.

This guide gives you a clear, practical checklist you can work through. No jargon. No panic. Just the steps that reduce risk and build trust.

If you want someone to sanity check it all, Athlex can help too, either one off or as your outsourced DPO. (More on that later.)

What counts as “personal data” in practice?

Personal data is information that can identify someone, directly or indirectly. Think:

  • Names, emails, phone numbers
  • Customer account details
  • IP addresses and online identifiers
  • Staff HR files and payroll details
  • CCTV footage (yes, still personal data)

If your business collects any of that, UK GDPR applies.

The Athlex UK GDPR checklist

1) Write a privacy notice that matches reality

our privacy notice is how you meet the transparency requirement: telling people what you do with their data, in a way they can understand. The ICO expects privacy information to include the required points under the transparency obligations (including Articles 13 and 14). (ICO)

Quick win: check your privacy notice answers these questions:

  • What data do you collect?
  • Why are you collecting it (your purposes)?
  • What lawful basis are you relying on?
  • Who do you share it with (like processors and platforms)?
  • How long do you keep it?
  • What rights do people have and how do they use them?
  • How can they contact you (and the ICO)?

If your notice is a copy paste from 2019, it is not “fine”. It is a trust leak.

Internal link suggestion: Review your website privacy notice as part of your toolkit offering (example link): [Website privacy notice review](/templates).

2) Sort your cookies and tracking (because the internet is nosey)

If your website uses analytics, marketing tags, pixels, embedded content, or anything that stores or accesses info on a user’s device, you need to follow the PECR rules on “storage and access technologies”. The ICO’s guidance explicitly covers cookies, tracking pixels, fingerprinting techniques, scripts and tags, and explains that PECR allows this only in certain circumstances or with valid consent. (ICO)

Also worth knowing: the ICO notes its storage and access guidance is under review due to the Data (Use and Access) Act coming into law on 19 June 2025. (ICO)

Quick win:

  • Make sure your cookie banner does not pre tick “accept”
  • Separate “necessary” from analytics and marketing
  • Keep a record of what cookies you use and why
  • Offer an easy way to change preferences

3) Create a simple Record of Processing Activities (ROPA)

A ROPA sounds terrifying until you realise it is basically a structured list of what data you use and why.

The ICO has detailed guidance on what needs documenting under Article 30, including things like purposes, categories, recipients, transfers, retention, and security measures. (ICO)
And the legal text for Article 30 sets out the core requirements. (Legislation.gov.uk)

Quick win: start with your top 8 to 12 processing activities, usually:

  • Website enquiries
  • Customer management and service delivery
  • Marketing emails
  • HR and payroll
  • Supplier management
  • IT access and security logs
  • Finance and accounting records
  • CCTV (if used)

You do not need a 200 line spreadsheet on day one. You need a working baseline.

4) Check your lawful bases (and stop guessing)

Most SME processing falls under:

  • Contract (you need data to deliver what was bought)
  • Legal obligation (payroll, tax, regulatory rules)
  • Legitimate interests (some operations and B2B marketing)
  • Consent (often marketing, cookies, and optional extras)

Quick win: list your purposes, assign a lawful basis to each, and make sure the privacy notice matches. Consistency is half the battle.

5) Put a DSAR process in place before you get one

A DSAR (data subject access request) is when someone asks for a copy of the personal data you hold about them.

Most businesses mess this up in one of two ways:

  • they ignore it because it went to the wrong inbox
  • they respond late because nobody owns the process

Quick win DSAR setup:

  • Pick an internal owner and a backup
  • Create a shared mailbox or ticket tag
  • Keep a DSAR log
  • Have a standard response template ready

http://athlex.co.uk/services/

6) Decide when you need a DPIA (and keep it lightweight)

A DPIA is a Data Protection Impact Assessment. It helps you identify and reduce privacy risks when you are doing higher risk processing.

Common triggers include:

  • Large scale monitoring
  • Using special category data
  • Profiling or automated decision making
  • New tech or new data sources

Quick win: create a one page “DPIA triage” checklist:

  • What are we doing?
  • What data is involved?
  • What could go wrong for people?
  • What controls reduce the risk?
  • Do we need to consult anyone?

7) Tighten up supplier contracts

If a supplier processes personal data for you (email marketing platforms, cloud storage, CRM tools, payroll providers), you need the right data protection terms in place.

Quick win:

  • List your processors
  • Confirm what data they handle
  • Ensure you have a contract with data processing terms
  • Check where data is stored and whether there are international transfers

This is also one of the quickest ways to look credible in tenders.

8) Have a breach plan that is not just “panic”

Most “small incidents” become big ones because nobody knows what to do in the first hour.

The NCSC’s small business guidance includes practical steps for preparing your response and recovery from a cyber incident. (NCSC)

Quick win breach plan:

  • How to contain (disable accounts, isolate devices, preserve evidence)
  • Who to notify internally
  • How to assess severity and scope
  • Draft customer and stakeholder comms
  • Clear decision path for regulator notification

9) Keep only what you need (retention)

If your retention approach is “keep everything forever”, you are making your life harder and your risk bigger.

Quick win: define simple retention rules for the main categories:

  • Enquiries and leads
  • Customer records
  • Marketing lists and suppression lists
  • HR data
  • Financial records
  • CCTV

You can refine later. Start now.

10) Assign accountability (even if you do not “need a DPO”)

Not every business needs a formally appointed Data Protection Officer. But every business needs someone accountable for privacy tasks and decisions.

If you want ongoing support without hiring internally, an outsourced DPO model gives you a named expert, practical answers, and evidence you are taking governance seriously.

Outsourced DPO

Common myths that waste your time

“We are too small for GDPR”

If you process personal data, size is not a magic shield. The rules still apply, and the reputational damage from getting it wrong is often worse for SMEs.

“We have a privacy policy, job done”

A policy is not compliance. It is just a document unless your actual practices match what it says.

“Consent solves everything”

Consent is not the default. It is one lawful basis, and it comes with conditions (freely given, specific, informed, easy to withdraw). Use it when it fits.

What “good” looks like for an SME

You do not need perfection. You need a sensible, defensible baseline.

A good SME setup usually looks like:

  • Clear privacy notice and cookie controls (ICO)
  • A working ROPA baseline (ICO)
  • DSAR process and templates
  • DPIA triage and a repeatable approach
  • Supplier contract hygiene
  • A breach playbook informed by good practice (NCSC)
  • Retention rules you can actually follow

That is enough to reduce risk fast, answer tender questions confidently, and sleep slightly better.

FAQs

Do I need a Data Protection Officer in the UK?

Not always. It depends on what you do and the scale and type of processing. Many SMEs do not legally need one, but they still benefit from outsourced DPO support for governance, risk, and credibility.

What is the fastest GDPR win for a small business?

Update your privacy notice and cookie setup, then create a basic ROPA. These are high impact and relatively quick. (ICO)

What should I do if I think we have had a data breach?

Contain first, then confirm facts and scope. Follow a structured response and recovery plan. The NCSC guidance is a strong starting point for SMEs. (NCSC)

Next step: make it simple

If you want a clear baseline without spending weeks reinventing the wheel:

  • Use the Athlex templates and toolkits to build your core documents
  • Or get ongoing cover with our outsourced DPO service
  • Or book a one off review to identify gaps and prioritise fixes

Understanding the Data (Use & Access) Act 2025: What UK Businesses Need to Know

5 minutes read
A business professional in a blue jumper reviews data protection documents at a desk with a closed laptop and coffee, representing DUAA 2025 compliance.

Why Was the DUAA Introduced?

The DUAA aims to modernise the UK’s data protection regime, ensuring that individuals have better control over their personal data while enabling organisations to innovate responsibly. It responds to new technologies, data‑driven business models and concerns about transparency. The Act builds on the UK GDPR framework rather than replacing it, so businesses must view it as complementary rather than separate.

Key Changes under the DUAA

1. Increased Fines for Electronic Marketing

The DUAA raises the maximum penalties for breaches of PECR. Companies can now face fines of up to £17.5 million or 4% of their global turnover, whichever is higher. This brings electronic marketing fines in line with those under the UK GDPR. Any business that sends marketing emails, texts or calls should review consent processes and records to ensure compliance.

2. New Rules Around Cookie Consent

The Act introduces stricter requirements for cookie consent under UK GDPR. Companies must ensure that cookie banners are clear and separate from other requests. Pre-ticked boxes and implied consent are not acceptable. People must have a genuine choice and be able to withdraw consent just as easily as they give it. Businesses should audit their cookie practices, update consent tools and keep records of consent.

3. Stronger Powers for the ICO

The Information Commissioner’s Office gains broader authority to compel businesses to provide information, reports and interviews as part of investigations. Failure to cooperate may lead to enforcement action. Businesses should keep thorough records of processing activities and be prepared to demonstrate compliance quickly if asked.

4. Expansion of Subject Access Rights

The DUAA reinforces the right to access personal data, requiring more detailed explanations of how data is used and shared. Organisations must be transparent about data sources and how decisions are made using personal data. This ties in closely with DSARs, making it even more important to have a robust process for responding to data requests.

5. Automated Decision‑Making Controls

The Act introduces new restrictions on automated decision‑making that significantly affects individuals. Businesses must provide human oversight, explain the logic behind decisions and allow individuals to contest them. Sectors using AI and machine learning—such as finance, insurance and recruitment—must ensure their systems meet these requirements.

Practical Steps to Comply

1. Audit Your Marketing Activities

Review how you collect and store consent for marketing communications. Ensure you can demonstrate a lawful basis for all electronic marketing. Update marketing databases to remove contacts without valid consent. For B2B marketing, confirm that you are complying with relevant exemptions and that messaging remains within legal boundaries.

2. Update Cookie Policies and Banners

Conduct a cookie audit to understand what tracking technologies your site uses and why. Update your cookie notice to clearly describe categories, purposes and retention periods. Implement a consent management platform if necessary, ensuring that individuals can easily change their preferences.

3. Strengthen Record‑Keeping

Maintain up‑to‑date records of processing activities, including data flows, legal bases, retention periods and third‑party sharing. If the ICO requests evidence of compliance, having organised records demonstrates accountability and saves time. Regularly review and update your records to reflect changes in processing.

4. Review Automated Decision‑Making Processes

Identify any processes that use algorithms or profiles to make decisions that could significantly affect individuals. Assess the legal basis for using automated decisions and whether human oversight is provided. Update privacy notices to explain these processes and develop procedures to address challenges from individuals.

5. Train Staff

Your employees are the first line of defence against non‑compliance. Provide training on the DUAA, focusing on marketing, cookie consent, data subject rights and automated decision‑making. Raise awareness of increased fines and the importance of cooperation with the ICO.

Impact on SMEs

Some SMEs might assume that new legislation primarily targets large corporations. However, the DUAA applies to any organisation processing personal data, regardless of size. Smaller businesses often have limited resources, making it harder to adapt. Yet the cost of non‑compliance—financial penalties and reputational damage—can be far greater than the cost of putting proper systems in place. SMEs should seek professional advice to interpret the Act and prioritise actions based on the data they handle.

How Athlex Supports Your Compliance

Staying on top of evolving data protection laws can be challenging. Athlex specialises in GDPR and privacy compliance for businesses of all sizes. Our consultants can help you conduct a DUAA readiness assessment, update policies and procedures, and train your staff. We provide practical, jargon‑free advice tailored to your industry, ensuring that you understand your obligations and can implement changes effectively. Whether you need a one‑off consultation or ongoing support through our outsourced DPO service, we make compliance manageable.

Looking Ahead

The DUAA is part of a broader trend toward stronger data governance. Businesses should expect further updates as technology evolves and public expectations of privacy grow. By understanding the DUAA and integrating it into your existing compliance framework, you prepare your business for future changes. Adopting a proactive approach—regular audits, employee training and transparent data practices—will position you as a trustworthy organisation in a competitive market.

Conclusion

The Data (Use & Access) Act 2025 introduces significant changes that businesses cannot ignore. Higher fines for marketing violations, tougher cookie rules, expanded subject rights and increased regulatory powers raise the stakes for data protection. By taking practical steps—auditing marketing activities, updating cookie banners, strengthening record‑keeping, reviewing automated decision processes and training staff—you can meet your obligations and build customer confidence. With professional guidance from Athlex, your business can turn compliance into a competitive advantage and navigate the evolving data protection landscape with confidence.

Sign up to our newsletter to receive updates directly to your inbox. You can also read more about DUUA updates to complaints processes in our blog.