Athlex
Contact
Athlex

Tag: SME Compliance

Data Breach Prevention: 10 Practical Steps UK SMEs Can Take Today

6 minutes read
UK SME professional implementing data breach prevention and cyber security measures

Why Data Breach Prevention Matters More Than Ever

Data breaches are not just a problem for large corporations. In fact, small and medium-sized enterprises (SMEs) are increasingly targeted by cybercriminals precisely because they often have weaker defences and fewer resources to recover.

Under UK GDPR, a data breach can result in fines of up to £17.5 million or 4% of annual turnover – whichever is higher. But the financial penalty is only part of the story. Breaches damage customer trust, disrupt operations, and can lead to loss of contracts, especially if you work with larger organisations that require supplier compliance.

The good news? Most data breaches are preventable. In this guide, we share 10 practical, actionable steps that UK businesses can take today to reduce their risk and protect personal data.

What Is a Data Breach?

A data breach occurs when personal data is accidentally or unlawfully destroyed, lost, altered, disclosed, or accessed. This includes:

Sending an email to the wrong recipient

Losing an unencrypted laptop or USB stick

A cyberattack that exposes customer records

An employee accessing data they should not see

A supplier failing to protect data you have shared with them

Not every breach requires reporting to the ICO, but all breaches must be assessed, documented, and acted upon. If you are unsure how to respond, our data breach support service can guide you through the process.

10 Practical Steps to Prevent Data Breaches

Train Your Team on Data Protection

Human error is the leading cause of data breaches. Regular GDPR training helps staff understand:

What personal data is and why it matters

How to handle data securely (e.g. encryption, password protection)

What to do if they suspect a breach

The importance of privacy by design

Training does not need to be expensive or time-consuming. Short, practical sessions tailored to your business are far more effective than generic e-learning modules. If you need support, our GDPR training services can help.

Use Strong Passwords and Multi-Factor Authentication (MFA)

Weak passwords are an open door for attackers. Ensure that:

All staff use strong, unique passwords (at least 12 characters, mixing letters, numbers, and symbols)

Passwords are never shared or reused across systems

Multi-factor authentication (MFA) is enabled on all critical systems, especially email, CRM, and cloud storage

Consider using a password manager to make this easier and more secure.

Encrypt Sensitive Data

Encryption protects data even if it is lost or stolen. Apply encryption to:

Laptops, tablets, and mobile devices

USB drives and external hard drives

Email attachments containing personal data

Cloud storage and backup systems

Most modern devices and platforms offer built-in encryption – you just need to enable it.

Limit Access to Personal Data

Not everyone in your business needs access to all data. Implement the principle of least privilege:

Grant access only to those who need it for their role

Use role-based permissions in your CRM, HR, and finance systems

Regularly review and revoke access for leavers or role changes

This reduces the risk of accidental disclosure and insider threats.

Secure Your Email and Avoid Common Mistakes

Email is one of the most common breach vectors. Protect yourself by:

Double-checking recipients before hitting send

Using BCC when emailing multiple people to protect their addresses

Avoiding sending sensitive data via unencrypted email

Enabling spam filters and anti-phishing tools

If you must send personal data by email, use encryption or secure file-sharing platforms.

Vet and Monitor Third-Party Suppliers

Your suppliers can be your weakest link. If a processor you use suffers a breach, you may still be liable. Ensure:

You have a Data Processing Agreement (DPA) in place with every supplier who handles personal data

Contracts include security obligations and breach notification clauses

You conduct due diligence before onboarding new suppliers

Our contract review service can help you assess and improve supplier agreements.

Keep Software and Systems Up to Date

Outdated software is a major security risk. Cybercriminals exploit known vulnerabilities in unpatched systems. Make sure:

Operating systems, browsers, and applications are updated regularly

Security patches are applied promptly

Antivirus and firewall software is active and current

If you use cloud-based tools, check that your providers maintain strong security standards.

Implement a Clear Desk and Clear Screen Policy

Physical security matters too. Encourage staff to:

Lock their screens when away from their desk

Avoid leaving documents containing personal data in plain sight

Shred or securely dispose of paper records

Store laptops and devices securely when not in use

This is especially important in shared or public workspaces.

Have a Data Breach Response Plan

Even with strong prevention measures, breaches can still happen. A clear response plan ensures you act quickly and appropriately:

Identify who is responsible for managing a breach (e.g. your DPO or senior manager)

Know when to report to the ICO (within 72 hours if there is a risk to individuals)

Understand when to notify affected individuals

Document every breach, even if it does not require reporting

If you do not have a plan in place, our outsourced DPO service includes breach response support.

Conduct Regular Data Protection Audits

Prevention is not a one-off task. Regular audits help you:

Identify new risks as your business grows or changes

Ensure policies and procedures are being followed

Update documentation to reflect new systems or suppliers

Demonstrate accountability to regulators, customers, and investors

Our data protection audit service provides an independent, practical review with clear recommendations.

What to Do If a Breach Happens

Despite your best efforts, breaches can still occur. If one does:

Contain it – Stop the breach from getting worse (e.g. disable a compromised account, retrieve a misdirected email)

Assess the risk – What data was involved? How many people? What harm could result?

Notify if required – Report to the ICO within 72 hours if there is a risk to individuals. Notify affected people without undue delay if the risk is high.

Document everything – Record what happened, what you did, and what you will do differently in future

Learn and improve – Update your processes to prevent recurrence

If you need urgent support, get in touch. We provide fast, practical breach response advice.

Final Thoughts

Data breach prevention is not about perfection – it is about reducing risk through practical, consistent action. By implementing these 10 steps, you will significantly strengthen your defences and demonstrate to customers, suppliers, and regulators that you take data protection seriously.

If you would like support assessing your current measures, training your team, or preparing a breach response plan, our team is here to help. We provide practical, affordable data protection services designed for UK SMEs.

Why Every UK Business Needs Data Protection Services

7 minutes read
Two professionals reviewing documents at a desk, representing outsourced DPO UK support.

In the digital age, protecting customer data isn’t just good practice – it’s a legal requirement. Since the implementation of GDPR in 2018, UK businesses face unprecedented obligations to safeguard personal information. The consequences of non-compliance can be devastating, with fines reaching up to 4% of annual global turnover or £17.5 million, whichever is higher. This reality makes professional data protection services essential for businesses of all sizes.

Understanding the Data Protection Landscape

The data protection landscape has evolved dramatically over recent years. What once seemed like a concern primarily for large corporations now affects every organisation that processes personal data. From small retail shops collecting customer emails to multinational corporations handling millions of records, the requirements remain equally stringent.

Many business owners underestimate the complexity of data protection regulations. GDPR compliance involves far more than simply adding a privacy policy to your website. It requires a comprehensive understanding of data flows, processing activities, legal bases for processing, and individual rights. The regulations touch every aspect of how organisations collect, store, use, and delete personal information.

The stakes have never been higher. Data breaches make headlines regularly, damaging reputations and resulting in significant financial penalties. In 2023 alone, the Information Commissioner’s Office issued millions of pounds in fines to UK organisations for data protection failures. These weren’t just technology giants – they included healthcare providers, retailers, and local authorities.

The Role of a Data Protection Officer

Under GDPR, certain organisations must appoint a data protection officer. This requirement applies to public authorities, organisations whose core activities involve large-scale systematic monitoring, or those processing special category data on a large scale. However, even when not legally required, having access to DPO services UK businesses can rely on proves invaluable.

A skilled data protection expert brings specialised knowledge that most internal teams lack. They understand the nuances of privacy compliance, stay updated on regulatory changes, and can translate complex legal requirements into practical business processes. Their expertise helps organisations navigate the intricate balance between operational efficiency and regulatory compliance.

The responsibilities of a data protection officer extend far beyond basic compliance tasks. They serve as the primary point of contact with supervisory authorities, conduct privacy impact assessments, provide staff training, and ensure the organisation maintains appropriate technical and organisational measures. This comprehensive role requires both legal knowledge and practical business acumen.

Benefits of Outsourced Data Protection

For many organisations, an outsourced DPO provides the perfect solution. Rather than hiring a full-time specialist, businesses can access expert guidance when needed while controlling costs. This approach offers several distinct advantages that make it particularly attractive for small and medium-sized enterprises.

Cost efficiency stands out as a primary benefit. Hiring a qualified in-house data protection officer commands a significant salary, often exceeding £60,000 annually. Add recruitment costs, ongoing training, and employee benefits, and the investment becomes substantial. Outsourced data protection services provide the same expertise at a fraction of the cost.

Independence represents another crucial advantage. An external GDPR consultant brings objectivity that internal staff might struggle to maintain. They can challenge existing practices, identify vulnerabilities, and recommend changes without concern for internal politics or relationships. This independence proves particularly valuable during audits or investigations.

Flexibility allows organisations to scale support according to their needs. During quiet periods, they might require minimal assistance. When implementing new systems or responding to data subject requests, they can increase support accordingly. This adaptability ensures businesses receive appropriate help without paying for unused capacity.

Common Data Protection Challenges

Modern businesses face numerous data protection challenges. Understanding these common pitfalls helps organisations appreciate why professional support proves so valuable. Many companies struggle with basic requirements, let alone the more complex aspects of compliance.

Data mapping often presents the first hurdle. Organisations frequently lack a clear picture of what personal data they hold, where it’s stored, and how it flows through their systems. Without this fundamental understanding, achieving compliance becomes impossible. Professional services help create comprehensive data inventories that form the foundation of effective data protection strategies.

Consent management creates ongoing headaches for many businesses. GDPR raised the bar for valid consent, requiring it to be freely given, specific, informed, and unambiguous. Many organisations still rely on pre-ticked boxes or buried consent clauses that no longer meet legal standards. Expert guidance ensures consent mechanisms meet current requirements while remaining user-friendly.

Third-party risk management represents another significant challenge. Most businesses share data with suppliers, partners, or service providers. Each relationship creates potential vulnerabilities. Proper data processing agreements, due diligence procedures, and ongoing monitoring help manage these risks effectively.

Data Breach Prevention Strategies

Preventing data breaches requires more than good intentions. It demands systematic approaches to identifying and addressing vulnerabilities before criminals exploit them. Effective data breach prevention combines technical measures, organisational policies, and staff awareness.

Technical safeguards form the first line of defence. Encryption, access controls, and regular security updates help protect data from external threats. However, technology alone isn’t sufficient. Human error remains the leading cause of data breaches, making staff training and awareness crucial components of any prevention strategy.

Incident response planning proves equally important. Despite best efforts, breaches can still occur. Organisations with robust response plans minimise damage and demonstrate accountability to regulators. These plans should detail roles, responsibilities, and procedures for containing breaches, assessing impact, and notifying affected individuals and authorities within required timeframes.

Regular testing validates prevention measures. Penetration testing, vulnerability assessments, and simulated phishing attacks help identify weaknesses before real attackers find them. Professional data protection services include these assessments, ensuring organisations maintain effective defences against evolving threats.

The Future of Data Protection

Data protection requirements will only intensify in coming years. Emerging technologies like artificial intelligence and Internet of Things devices create new privacy challenges. Regulatory frameworks continue evolving to address these developments, making ongoing compliance increasingly complex.

International data transfers face growing scrutiny. Following the Schrems II decision, organisations must carefully assess the legal basis for transferring data outside the UK. New standard contractual clauses and transfer impact assessments add layers of complexity that require expert navigation.

Consumer awareness continues rising. People increasingly understand their data rights and won’t hesitate to exercise them. Organisations must prepare for more data subject requests, complaints, and scrutiny from privacy-conscious customers. Meeting these expectations requires robust processes and knowledgeable staff.

Choosing the Right Support

Selecting appropriate data protection support requires careful consideration. Organisations should evaluate potential providers based on qualifications, experience, and understanding of their specific industry. The right partner combines technical expertise with practical business sense.

Look for providers offering comprehensive services. Basic compliance checking isn’t sufficient – organisations need partners who understand their business, identify risks, and provide pragmatic solutions. The best providers offer ongoing support rather than one-off assessments.

Consider the provider’s approach to knowledge transfer. Effective partners don’t just solve immediate problems – they help organisations build internal capabilities. Through training, documentation, and mentoring, they enable businesses to handle routine matters independently while remaining available for complex issues.

Making Data Protection Work for Your Business

Effective data protection shouldn’t hinder business operations. When implemented properly, it enhances customer trust, improves operational efficiency, and creates competitive advantages. The key lies in finding the right balance between protection and practicality.

Start by understanding your current position. Conduct a thorough assessment of existing practices, identify gaps, and prioritise improvements based on risk and resource availability. Professional support accelerates this process, helping organisations focus efforts where they’ll have maximum impact.

Build data protection into business processes from the outset. Privacy by design principles ensure new projects consider data protection requirements from conception rather than retrofitting compliance later. This approach reduces costs and creates more effective solutions.

Conclusion

Data protection represents both a legal obligation and business opportunity. Organisations that embrace comprehensive data protection strategies build trust, avoid penalties, and position themselves for sustainable growth. While the complexity of requirements can seem overwhelming, professional support makes compliance achievable.

Athlex Ltd provides expert data protection services tailored to UK businesses. Our team of qualified specialists understands the challenges organisations face and delivers practical solutions that balance compliance with operational needs. Whether you need ongoing DPO support or project-based assistance, we help protect your business and your customers’ data. Contact our expert team to discuss how we can support your data protection journey.

Cookie Compliance Under UK GDPR and DUAA 2025: What SMEs Need to Know

6 minutes read
Laptop showing a cookie consent banner with accept and reject options for UK cookie compliance

Cookies are a core part of modern web design. They keep your shopping cart items in place, remember your language preference and help websites understand how visitors use their pages. Yet cookies also raise significant privacy concerns. In the United Kingdom, the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR) govern how organisations can deploy cookies. The forthcoming Data (Use & Access) Act 2025 (DUAA) strengthens these rules, making cookie compliance even more important for small and medium-sized enterprises (SMEs). This guide explains the types of cookies, why consent matters and how to align your practices with the law.

What Are Cookies and Why Do They Matter?

A cookie is a small text file placed on your device when you visit a website. Cookies help sites function properly, remember your preferences and understand how visitors interact with the site. For businesses, cookies enable analytics, personalise content and support targeted advertising. However, they also collect personal information such as IP addresses, device identifiers and browsing behaviour. Because this data can sometimes identify a person, it is subject to data protection laws.

The UK GDPR recognises that cookies involve processing personal data. Under PECR, organisations must obtain consent before storing or accessing information on a user’s device, except where the cookie is strictly necessary for the service requested by the user. Non-essential cookies – including those used for analytics, functionality and marketing – require valid consent. With regulators imposing higher fines and the DUAA raising the bar for accountability, SMEs cannot ignore these obligations.

Categories of Cookies

Understanding the different types of cookies helps you determine which require consent and how to communicate their purpose. The main categories are:

  • Strictly Necessary Cookies: These are essential for the website to function, for example for security and load balancing. They do not require user consent but must still be explained in your cookie notice.
  • Performance or Analytics Cookies: These cookies collect data about how visitors use your site, such as which pages they visit and how long they stay. Tools like Google Analytics fall into this category. Because they are not essential, you need consent before placing them.
  • Functionality Cookies: These remember user preferences and settings, such as language or region. They enhance the user experience but are not strictly necessary, so consent is required.
  • Marketing or Advertising Cookies: These track users across websites to display relevant ads and measure campaign performance. They often involve third parties and require explicit consent.

Knowing which cookies you use and why you use them is the first step towards compliance.

Consent Requirements Under UK GDPR

Consent under the UK GDPR must be freely given, specific, informed and unambiguous. Pre-ticked boxes, implied consent or bundling consent with other terms are not allowed. Users must understand what they are agreeing to and should be able to withdraw consent as easily as they give it. Your cookie banner should clearly state the categories of cookies, allow users to accept or reject each type and link to a detailed cookie policy.

Your cookie notice should explain what cookies are, list the cookies used on your site and describe their purpose, expiry and whether they are set by you or a third party. Athlex’s cookie notice outlines plans to provide a full list of cookie names, purposes and expiry dates. It also reminds users that they can manage preferences via the cookie banner or browser settings. Providing this level of detail helps build trust and meets regulatory expectations.

New Rules Under the DUAA 2025

The Data (Use & Access) Act 2025 introduces stricter requirements for cookie consent. The Act clarifies that cookie banners must be clear and separate from other requests. It confirms that pre-ticked boxes and implicit consent are not acceptable and that users must have a genuine choice and be able to withdraw consent as easily as they give it. These rules reinforce existing UK GDPR principles but emphasise enforcement. SMEs should audit their cookie practices now to prepare for these changes.

Third-Party Cookies and Marketing

Many websites rely on third-party services for analytics, advertising or social media integration. Third-party cookies may be set by companies like Google, LinkedIn or Mailchimp. When you use these services, you remain responsible for informing users about the cookies and obtaining consent. You should list each third party in your cookie notice and link to their own privacy or cookie policies. The DUAA’s focus on electronic marketing rules means that organisations that send targeted ads must be especially careful to document and manage cookie consents.

How to Achieve Compliance

  1. Audit Your Cookies: Identify all cookies used on your site, their purposes and whether they are first- or third-party. Pay special attention to scripts and plugins that may add cookies without your knowledge.
  2. Update Your Cookie Policy: Ensure your cookie policy is comprehensive and up to date. Use clear language to describe each cookie category and its purpose. Provide information about how users can manage their preferences and withdraw consent.
  3. Implement a Consent Management Platform: Use a compliant cookie banner that allows users to accept or reject cookies by category. The banner should not obstruct access to strictly necessary services and should not disappear until the user makes a choice.
  4. Record Consent: Keep records of user consent, including time stamps and the version of your cookie policy in place at the time. This documentation is essential if regulators investigate your practices.
  5. Review Third-Party Services: Check that your third-party providers also comply with the UK GDPR and DUAA. You may need to update contracts to ensure they assist with consent management and honour users’ choices.
  6. Monitor Changes: Cookie laws evolve. Follow updates from the Information Commissioner’s Office and review your cookie practices regularly. The DUAA is being rolled out in stages, so more guidance is expected in the coming months.

Benefits of Compliance

Beyond avoiding fines, strong cookie compliance improves user trust. Transparent communication about how you use data shows that you respect privacy. It can also improve the quality of your analytics because users who knowingly opt in are more engaged. Finally, compliance helps future-proof your business as regulators around the world tighten privacy rules.

Conclusion

Cookies are powerful tools that enhance websites but must be used responsibly. For SMEs, the combination of UK GDPR, PECR and the upcoming DUAA 2025 means that cookie compliance is no longer just a technical issue – it is a strategic imperative. By auditing your cookies, updating your policies, obtaining valid consent and keeping clear records, you can meet regulatory requirements and build lasting customer trust. Now is the time to get your cookie house in order before the new rules take effect.

 

The Top ICO Enforcement Trends SMEs Must Act On in 2025

5 minutes read
And How to Get Ahead
Flat illustration showing a gavel, security shield, key icon and connected vendor nodes around a central business, in Athlex brand colours, representing ICO enforcement trends and GDPR risk for SMEs

The UK’s data-protection landscape is evolving fast, and SMEs are now directly exposed to enforcement action once largely associated with public bodies or large multinationals. As the BDO enforcement trends analysis reviewing ICO enforcement trends 2025,  highlights, the ICO is increasingly focused on fundamental compliance failures rather than technical edge cases, meaning SMEs face the same expectations as larger organisations.

To help UK SMEs stay ahead, this guide breaks down the three most prominent ICO enforcement themes in 2025 and explains how each relates directly to the core duties under UK GDPR.

ICO Enforcement Trend 1: DSAR Delays & Right-of-Access Failures

The ICO continues to treat DSAR delays as one of the most serious indicators of poor governance. This theme appears repeatedly in enforcement notices and aligns closely with the BDO analysis.

A recent example is the enforcement notice issued to South Wales Police, requiring the organisation to clear a backlog of more than 350 overdue SARs by mid-2026.

Although policing bodies sit in a unique context, the principle is identical for SMEs:
a delayed, incomplete, or mismanaged DSAR is a governance failure, not an administrative error.

Why SMEs are vulnerable

  • DSAR processes are often informal or undocumented
  • Staff rely on untracked shared inboxes that hamper compliance
  • Manual redaction takes longer than expected and slows response times
  • Identity verification checks are inconsistent or incomplete
  • No clear owner is assigned to coordinate DSAR responses

Consequently, SMEs often fail “by accident”, simply because processes were never clearly built.

What SMEs should do

  • Implement a formal DSAR register
  • Use standardised verification templates
  • Assign responsibility for triage and drafting
  • Create a redaction decision record
  • Test your DSAR workflow every six months

See how Athlex Data Protection can help you with your UK GDPR compliance.

To strengthen your position, Athlex Data Protection includes DSAR review as part of its Free UK GDPR Compliance Audit.

ICO Enforcement Trend 2: System Errors & Data-Accuracy Failures

While many SMEs assume breaches are caused by sophisticated threat actors, the ICO’s recent fines show that basic security failings, particularly around access control and system configuration, remain the driving force behind most incidents. This is why BDO identifies weak security controls as a recurring enforcement theme.

A clear example of this is the £3.07 million fine issued to Advanced Computer Software Group (“Advanced”), a major processor used across the UK health and education sectors.

What happened

A ransomware attack exploited several preventable vulnerabilities, including:

  • inadequate access controls,
  • outdated software components,
  • unpatched critical systems, and
  • insufficient segregation of sensitive data.

Because Advanced was acting as a data processor, the incident demonstrated that processors are not insulated from ICO enforcement. Importantly, the ICO highlighted that robust Article 32 security measures apply equally to processors and controllers — a point many SMEs overlook when relying on third-party suppliers.

Why this matters for SMEs

Many SMEs rely on external IT providers, SaaS dashboards, or outsourced infrastructure. Consequently, they often inherit a false sense of security. Yet, as the Advanced case shows:

  • unpatched systems,
  • misconfigured access rights, and
  • weak administrator controls can create breach pathways that affect both the processorand its clients.

Furthermore, the ICO’s commentary stresses that technical misconfiguration is increasingly treated as a governance failure, not an unavoidable risk. In other words, SMEs are expected to demonstrate continuous security management – not reactive fixes after an incident.

What SMEs should do now

To reduce exposure to similar enforcement action:

  • Conduct regular patch-management reviews and document them.
  • Enforce multi-factor authentication onevery administrative and remote-access account.
  • Validate that third-party systems use secure configuration baselines.
  • Request evidence: recent pen-test summaries, MFA logs, and architecture diagrams showing data segregation.

ICO Enforcement Trend 3: Supply-Chain & Vendor Risk Is Now the Biggest Exposure

BDO notes that third-party suppliers are involved in a significant proportion of enforcement cases. This is evident across recent ICO actions.

A major example is the £14 million fine issued to Capita following a cyber incident that exposed the data of over 6 million people.

The ICO criticised:

  • slow isolation of the breach,
  • insufficient monitoring,
  • weak patching practices, and
  • inadequate oversight of third-party systems.

Similarly, the Upper Tribunal’s Clearview ruling confirmed that even overseas vendors fall under UK GDPR if they monitor UK residents.

Why SMEs must pay attention

SMEs are more dependent than ever on external providers – IT contractors, payroll services, marketing platforms, CRMs, SaaS tools, cloud storage, etc. Consequently, the regulator expects SMEs to:

  • verify supplier security
  • assess processors before onboarding
  • maintain a vendor register
  • require evidence of compliance
  • include audit rights and termination clauses

In other words, your compliance is only as strong as your weakest vendor.

What SMEs should do

  • Inventory all suppliers with data access
  • Request evidence: certifications, test summaries, logs
  • Ensure processor contracts meet Article 28 requirements
  • Assess vendors annually (high-risk: quarterly)

The Athlex Data Protection free audit highlights exactly where your vendor chain poses compliance risk.

ICO Enforcement Trend 4: Governance, Documentation & Accountability Are Under the Microscope

BDO’s report highlights that the ICO is increasingly examining how decisions are made, not just whether breaches occur. Good governance – leadership awareness, documented decisions, risk logs, and internal reporting structures — is now a major enforcement factor.

This aligns with the ICO’s call for views on new enforcement-procedural guidance, signalling more transparent and structured regulatory processes.

This means SMEs are expected to show:

  • clear data-protection ownership
  • leadership engagement
  • meaningful internal reporting
  • documented risk assessments and decisions
  • evidence of proactive compliance

How SMEs Can Stay Ahead – Starting Today

To prepare for these enforcement trends, SMEs should immediately focus on:
✔ DSAR workflows
✔ Data-accuracy controls
✔ Vendor oversight
✔ Incident readiness
✔ Governance documentation

And the simplest way to begin?

Use Athlex Data Protection’s Free UK GDPR Compliance Audit tool.

To read more about the biggest UK GDPR risks for SMEs, see our blog: Inside Out: Why Insider Risk Is the Biggest UK GDPR Blind Spot for SMEs.

 It covers DSARs, access controls, vendor risk, system accuracy, governance, and incident readiness –  all mapped into a clear action plan.

Understanding the Data (Use & Access) Act 2025: What UK Businesses Need to Know

5 minutes read
A business professional in a blue jumper reviews data protection documents at a desk with a closed laptop and coffee, representing DUAA 2025 compliance.

Why Was the DUAA Introduced?

The DUAA aims to modernise the UK’s data protection regime, ensuring that individuals have better control over their personal data while enabling organisations to innovate responsibly. It responds to new technologies, data‑driven business models and concerns about transparency. The Act builds on the UK GDPR framework rather than replacing it, so businesses must view it as complementary rather than separate.

Key Changes under the DUAA

1. Increased Fines for Electronic Marketing

The DUAA raises the maximum penalties for breaches of PECR. Companies can now face fines of up to £17.5 million or 4% of their global turnover, whichever is higher. This brings electronic marketing fines in line with those under the UK GDPR. Any business that sends marketing emails, texts or calls should review consent processes and records to ensure compliance.

2. New Rules Around Cookie Consent

The Act introduces stricter requirements for cookie consent under UK GDPR. Companies must ensure that cookie banners are clear and separate from other requests. Pre-ticked boxes and implied consent are not acceptable. People must have a genuine choice and be able to withdraw consent just as easily as they give it. Businesses should audit their cookie practices, update consent tools and keep records of consent.

3. Stronger Powers for the ICO

The Information Commissioner’s Office gains broader authority to compel businesses to provide information, reports and interviews as part of investigations. Failure to cooperate may lead to enforcement action. Businesses should keep thorough records of processing activities and be prepared to demonstrate compliance quickly if asked.

4. Expansion of Subject Access Rights

The DUAA reinforces the right to access personal data, requiring more detailed explanations of how data is used and shared. Organisations must be transparent about data sources and how decisions are made using personal data. This ties in closely with DSARs, making it even more important to have a robust process for responding to data requests.

5. Automated Decision‑Making Controls

The Act introduces new restrictions on automated decision‑making that significantly affects individuals. Businesses must provide human oversight, explain the logic behind decisions and allow individuals to contest them. Sectors using AI and machine learning—such as finance, insurance and recruitment—must ensure their systems meet these requirements.

Practical Steps to Comply

1. Audit Your Marketing Activities

Review how you collect and store consent for marketing communications. Ensure you can demonstrate a lawful basis for all electronic marketing. Update marketing databases to remove contacts without valid consent. For B2B marketing, confirm that you are complying with relevant exemptions and that messaging remains within legal boundaries.

2. Update Cookie Policies and Banners

Conduct a cookie audit to understand what tracking technologies your site uses and why. Update your cookie notice to clearly describe categories, purposes and retention periods. Implement a consent management platform if necessary, ensuring that individuals can easily change their preferences.

3. Strengthen Record‑Keeping

Maintain up‑to‑date records of processing activities, including data flows, legal bases, retention periods and third‑party sharing. If the ICO requests evidence of compliance, having organised records demonstrates accountability and saves time. Regularly review and update your records to reflect changes in processing.

4. Review Automated Decision‑Making Processes

Identify any processes that use algorithms or profiles to make decisions that could significantly affect individuals. Assess the legal basis for using automated decisions and whether human oversight is provided. Update privacy notices to explain these processes and develop procedures to address challenges from individuals.

5. Train Staff

Your employees are the first line of defence against non‑compliance. Provide training on the DUAA, focusing on marketing, cookie consent, data subject rights and automated decision‑making. Raise awareness of increased fines and the importance of cooperation with the ICO.

Impact on SMEs

Some SMEs might assume that new legislation primarily targets large corporations. However, the DUAA applies to any organisation processing personal data, regardless of size. Smaller businesses often have limited resources, making it harder to adapt. Yet the cost of non‑compliance—financial penalties and reputational damage—can be far greater than the cost of putting proper systems in place. SMEs should seek professional advice to interpret the Act and prioritise actions based on the data they handle.

How Athlex Supports Your Compliance

Staying on top of evolving data protection laws can be challenging. Athlex specialises in GDPR and privacy compliance for businesses of all sizes. Our consultants can help you conduct a DUAA readiness assessment, update policies and procedures, and train your staff. We provide practical, jargon‑free advice tailored to your industry, ensuring that you understand your obligations and can implement changes effectively. Whether you need a one‑off consultation or ongoing support through our outsourced DPO service, we make compliance manageable.

Looking Ahead

The DUAA is part of a broader trend toward stronger data governance. Businesses should expect further updates as technology evolves and public expectations of privacy grow. By understanding the DUAA and integrating it into your existing compliance framework, you prepare your business for future changes. Adopting a proactive approach—regular audits, employee training and transparent data practices—will position you as a trustworthy organisation in a competitive market.

Conclusion

The Data (Use & Access) Act 2025 introduces significant changes that businesses cannot ignore. Higher fines for marketing violations, tougher cookie rules, expanded subject rights and increased regulatory powers raise the stakes for data protection. By taking practical steps—auditing marketing activities, updating cookie banners, strengthening record‑keeping, reviewing automated decision processes and training staff—you can meet your obligations and build customer confidence. With professional guidance from Athlex, your business can turn compliance into a competitive advantage and navigate the evolving data protection landscape with confidence.

Sign up to our newsletter to receive updates directly to your inbox. You can also read more about DUUA updates to complaints processes in our blog.