Athlex
Contact
Athlex

Tag: UK GDPR

Understanding the Data (Use & Access) Act 2025: What UK Businesses Need to Know

5 minutes read
A business professional in a blue jumper reviews data protection documents at a desk with a closed laptop and coffee, representing DUAA 2025 compliance.

Why Was the DUAA Introduced?

The DUAA aims to modernise the UK’s data protection regime, ensuring that individuals have better control over their personal data while enabling organisations to innovate responsibly. It responds to new technologies, data‑driven business models and concerns about transparency. The Act builds on the UK GDPR framework rather than replacing it, so businesses must view it as complementary rather than separate.

Key Changes under the DUAA

1. Increased Fines for Electronic Marketing

The DUAA raises the maximum penalties for breaches of PECR. Companies can now face fines of up to £17.5 million or 4% of their global turnover, whichever is higher. This brings electronic marketing fines in line with those under the UK GDPR. Any business that sends marketing emails, texts or calls should review consent processes and records to ensure compliance.

2. New Rules Around Cookie Consent

The Act introduces stricter requirements for cookie consent under UK GDPR. Companies must ensure that cookie banners are clear and separate from other requests. Pre-ticked boxes and implied consent are not acceptable. People must have a genuine choice and be able to withdraw consent just as easily as they give it. Businesses should audit their cookie practices, update consent tools and keep records of consent.

3. Stronger Powers for the ICO

The Information Commissioner’s Office gains broader authority to compel businesses to provide information, reports and interviews as part of investigations. Failure to cooperate may lead to enforcement action. Businesses should keep thorough records of processing activities and be prepared to demonstrate compliance quickly if asked.

4. Expansion of Subject Access Rights

The DUAA reinforces the right to access personal data, requiring more detailed explanations of how data is used and shared. Organisations must be transparent about data sources and how decisions are made using personal data. This ties in closely with DSARs, making it even more important to have a robust process for responding to data requests.

5. Automated Decision‑Making Controls

The Act introduces new restrictions on automated decision‑making that significantly affects individuals. Businesses must provide human oversight, explain the logic behind decisions and allow individuals to contest them. Sectors using AI and machine learning—such as finance, insurance and recruitment—must ensure their systems meet these requirements.

Practical Steps to Comply

1. Audit Your Marketing Activities

Review how you collect and store consent for marketing communications. Ensure you can demonstrate a lawful basis for all electronic marketing. Update marketing databases to remove contacts without valid consent. For B2B marketing, confirm that you are complying with relevant exemptions and that messaging remains within legal boundaries.

2. Update Cookie Policies and Banners

Conduct a cookie audit to understand what tracking technologies your site uses and why. Update your cookie notice to clearly describe categories, purposes and retention periods. Implement a consent management platform if necessary, ensuring that individuals can easily change their preferences.

3. Strengthen Record‑Keeping

Maintain up‑to‑date records of processing activities, including data flows, legal bases, retention periods and third‑party sharing. If the ICO requests evidence of compliance, having organised records demonstrates accountability and saves time. Regularly review and update your records to reflect changes in processing.

4. Review Automated Decision‑Making Processes

Identify any processes that use algorithms or profiles to make decisions that could significantly affect individuals. Assess the legal basis for using automated decisions and whether human oversight is provided. Update privacy notices to explain these processes and develop procedures to address challenges from individuals.

5. Train Staff

Your employees are the first line of defence against non‑compliance. Provide training on the DUAA, focusing on marketing, cookie consent, data subject rights and automated decision‑making. Raise awareness of increased fines and the importance of cooperation with the ICO.

Impact on SMEs

Some SMEs might assume that new legislation primarily targets large corporations. However, the DUAA applies to any organisation processing personal data, regardless of size. Smaller businesses often have limited resources, making it harder to adapt. Yet the cost of non‑compliance—financial penalties and reputational damage—can be far greater than the cost of putting proper systems in place. SMEs should seek professional advice to interpret the Act and prioritise actions based on the data they handle.

How Athlex Supports Your Compliance

Staying on top of evolving data protection laws can be challenging. Athlex specialises in GDPR and privacy compliance for businesses of all sizes. Our consultants can help you conduct a DUAA readiness assessment, update policies and procedures, and train your staff. We provide practical, jargon‑free advice tailored to your industry, ensuring that you understand your obligations and can implement changes effectively. Whether you need a one‑off consultation or ongoing support through our outsourced DPO service, we make compliance manageable.

Looking Ahead

The DUAA is part of a broader trend toward stronger data governance. Businesses should expect further updates as technology evolves and public expectations of privacy grow. By understanding the DUAA and integrating it into your existing compliance framework, you prepare your business for future changes. Adopting a proactive approach—regular audits, employee training and transparent data practices—will position you as a trustworthy organisation in a competitive market.

Conclusion

The Data (Use & Access) Act 2025 introduces significant changes that businesses cannot ignore. Higher fines for marketing violations, tougher cookie rules, expanded subject rights and increased regulatory powers raise the stakes for data protection. By taking practical steps—auditing marketing activities, updating cookie banners, strengthening record‑keeping, reviewing automated decision processes and training staff—you can meet your obligations and build customer confidence. With professional guidance from Athlex, your business can turn compliance into a competitive advantage and navigate the evolving data protection landscape with confidence.

Sign up to our newsletter to receive updates directly to your inbox. You can also read more about DUUA updates to complaints processes in our blog.

The 72 Hour Rule for UK GDPR Breach Reporting

5 minutes read
The 72 Hour Rule for UK GDPR Breach Reporting: A Plain English Guide for SMEs
Laptop with warning icon and clock representing urgency in UK GDPR breach reporting

When a personal‑data breach occurs, there are two key questions:

  1. When must we notify the regulator?
  2. How should we handle things internally to reduce risk, cost and reputational damage?

Lately, it feels like data breaches are never out of the headlines. From Marks & Spencer’s loyalty leak to Jaguar Land Rover’s ransomware hit, UK businesses are being tested on how fast and how well they respond.

For SMEs, understanding the 72‑hour rule under the UK GDPR isn’t just about avoiding fines it’s your fire drill, your buffer, your business continuity plan.

What is a “personal data breach”?

A personal data breach under the UK GDPR is any security incident that results in:

  • Accidental or unlawful destruction or loss of personal data
  • Loss of availability, for example through ransomware or system failures
  • Alteration or corruption of data that makes records inaccurate
  • Unauthorised disclosure of, or unauthorised access to, personal data

It doesn’t take a hacker,  mis-sent emails, misplaced USB drives, or wrongly configured cloud folders all qualify.

The “72-hour rule” – what it really means

The law doesn’t give you three full days to get your act together. It says:
“Without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach.”

That means:

  • If you can report sooner, you should.
  • If you miss the deadline, you must justify why.
  • And no – “we were still checking with IT” won’t cut it.

Step-by-step: what SMEs should do

Recognise the incident

Use monitoring, logging, and staff escalation to detect breaches fast.

Assess the risk

Ask: what is the risk to the individual, is there a risk of identify fraud, financial or physical harm or distress. We provide more guidance on this below.

✅ Decide whether to report to the ICO

Ask; what is the harm to the individual(s)? And decide if you need to report the breach. If you are not reporting, you must keep a log, with clear reasoning.

Notify the regulator if likely to result in a risk of harm to individuals

Use the ICO breach reporting form and include:

  • What happened
  • What data and the number of people affected
  • Consequences
  • What you have done to reduce the risks
  • DPO or contact point

✅ Notify individuals (if high risk)

If the breach presents a high risk to the people affected (e.g. financial, reputational or emotional harm), you must tell them directly – without undue delay. This could be where there is an immediate risk of financial or physical harm to an individual.

✅ Remediate and document

Do a root-cause review to be clear about why it happened and how you will prevent it happening again. Update controls. Train staff. Write it all down.

Is the breach reportable? How to decide

Not every breach needs to be reported to the ICO – but many are. And the line between “notify” and “log it internally” isn’t always obvious.

Under the UK GDPR, a breach must be reported to the regulator if it is:

“likely to result in a risk to the rights and freedoms of individuals.”

This includes risks like:

  • Identity theft or fraud
  • Financial loss
  • Loss of confidentiality
  • Discrimination or reputational harm
  • Distress, particularly where vulnerable people are affected

But what does “likely” mean in practice?

That’s where judgment, experience, and knowledge of ICO enforcement comes in. You’ll need to assess:

  • What kind of data was involved? (Basic contact details or sensitive health, financial, or identity data?)
  • How exposed was it? (Sent to one person or published online?)
  • How long was it accessible?
  • Is there evidence it was accessed or misused?
  • Could individuals suffer harm or distress as a result?

This isn’t a binary “yes/no” — it’s a context-led risk decision. And it’s one the ICO expects you to document thoroughly.

💡 If you decide not to report, you still need to record:

  • The nature of the breach
  • The decision-making process
  • Why you believe notification wasn’t required
  • Any steps taken to contain or prevent recurrence

📚 Many SMEs benefit from looking at recent ICO cases, guidance, and fines. These real-world examples show how risk is interpreted — and where organisations got it wrong by waiting too long, misjudging impact, or failing to document decisions.

🗂️ Bottom line: if you’re unsure, log your reasoning and seek advice. Whether you notify or not, the ICO cares most about whether you acted promptly, documented clearly, and protected individuals’ rights.

Common SME mistakes

  • No breach detection tools in place
  • Waiting too long to decide what to do
  • Not documenting decisions
  • Assuming “we’re too small to be a target”
  • Launching new systems without updating privacy notices or contracts

Why SMEs should care

📣 From M&S to Jaguar Land Rover, breaches are everywhere.

But the risk isn’t just for corporates:

  • SMEs are common stepping stones in larger supply chains
  • Many attacks fly under the radar but cause huge disruption
  • The ICO doesn’t care how small you are if you’re unprepared

💥 Capita was fined £14m for poor breach handling.
🧾 Don’t wait for yours to become a headline.

SME breach-response checklist

  •  Do you have a documented, tested response plan?
  •  Are your logs and alerts functioning?
  •  Have staff been trained on what to do?
  •  Do your contracts cover breach reporting?
  •  Do you review and record every incident,  even the “minor” ones?

Related on Athlex: Prevent insider risk

Most breaches start from inside your business.
📘 Read: Insider Risk — 7 GDPR Controls for SMEs

Final word

The 72-hour rule is not just a regulatory tick-box  it’s your first defence.

Plan it. Test it. Use it.
And when a breach happens, act fast and document everything.

Contact us if you need help: hello@athlex.co.uk
Our Free UK GDPR Compliance Checklist is coming soon.

Inside Out: Why Insider Risk Is the Biggest UK GDPR Blind Spot for SMEs

5 minutes read
The risk that sits at your own desk
Laptop showing data access control icons on screen, surrounded by desk items including notebook, pen, plant, and coffee mug – representing insider risk controls under GDPR

Most data incidents don’t start with outsiders. They start with someone who already has access: an employee exporting a list to a personal inbox “to finish later,” a contractor browsing records “out of curiosity,” or a former staff member whose account was never disabled. The UK Information Commissioner’s Office (ICO) expects organisations to prevent this through proportionate technical and organisational measures, and to assess and report personal data breaches appropriately. See the ICO’s guidance on personal data breaches.

Insider risk is the gap between “we have policies” and “we actually control who can see what, when, and why.” This guide turns that gap into seven practical controls you can implement this quarter.

7 Practical UK GDPR controls to reduce insider risk

1) Least-privilege access with clean joiner/mover/leaver (JML) flows

Do this:

  • Map each role to specific datasets and grant only the minimum access required.
  • Automate joiner, mover and leaver provisioning through your HRIS so accounts are created and removed promptly.
  • Ban shared credentials and require multi-factor authentication on every account.

Outcome: Access is limited to what’s necessary, changes are applied promptly when people join, move or leave, and you can evidence necessity and proportionality under UK GDPR security and privacy-by-design requirements.

2) Evidence you can trust: logs and audit trails

Do this:

  • Log views, exports, deletions and permission changes across core systems.
  • Centralise logs and alert on unusual patterns, such as mass lookups or out-of-hours exports.
  • A Security Information and Event Management tool helps, but start with built-in logs if that’s what you have.

Outcome: You can confirm what happened quickly, assess risk to individuals, and make accurate, timely notification decisions.

3) Stop the leak before it starts: Data Loss Prevention (DLP) and redaction

Do this:

  • Configure DLP rules for email, cloud storage and endpoints.
  • Auto-redact sensitive fields in routine exports and reports.

Outcome: Accidental oversharing is blocked by default, and special category data stays tightly controlled.

4) Device and workspace controls that actually work

Do this:

  • Enrol all company and Bring Your Own Device (BYOD) endpoints in Mobile Device Management (MDM). Require disk encryption and screen lock.
  • Disable local downloads for high-risk roles; restrict screenshots or copy/paste in sensitive apps where feasible.

Outcome: Data remains in managed environments and is harder to extract via quick workarounds.

5) Processor hygiene: vendor minimums and escalation paths

Do this:

  • Bake minimum security measures, prompt breach notification, and audit rights into processor contracts.
  • Maintain a single vendor risk register with owners and review dates.

Outcome: Third parties stop being “insiders by proxy” without accountability, and you have a clear path when something goes wrong.

6) Behaviour beats posters: training, nudges and sanctions

Do this:

  • Run short, role-based refreshers using the workflows your teams actually use.
  • Add in-tool nudges: “This export contains personal data. Do you need names?”
  • Publish and apply a proportionate sanctions policy for misuse.

Outcome: People make better choices at the point of risk, and expectations are unambiguous.

7) Drill it: a 60-minute insider-incident playbook

Do this:

  • Write a one-page runbook. Simulate it quarterly.
  • Define who freezes access, who gathers evidence, who communicates to customers, and who speaks to the ICO.

Outcome: Response is coordinated and timely, with decisions recorded and defensible. Use the ICO’s security guidance hub to shape your thresholds and evidence checklist.

Why this matters: real-world expectations

Enforcement keeps landing where staff accessed records without a valid reason. Recent prosecutions include healthcare workers fined for snooping in patient records, underlining the need for access controls and audit trails. Example: ICO case report, Former NHS secretary found guilty of illegally accessing medical records.

For technical mitigations that specifically target insider misuse and data exfiltration, the National Cyber Security Centre (NCSC) provides concrete advice you can layer on top of policy and training: Reducing data exfiltration by malicious insiders.

The 60-minute plan when insider misuse is suspected

  1. Contain: Freeze the account, revoke tokens, stop syncs.
  2. Preserve evidence: Snapshot logs and systems before making changes.
  3. Scope: Identify what data, which data subjects, the lawful basis and intended purpose.
  4. Assess risk and notify if required: Inform affected individuals and the ICO based on risk to rights and freedoms, following the ICO’s thresholds and timelines.
  5. Document: Record decisions, timestamps, and people involved in your breach register.
  6. Remediate: Fix process gaps; update DLP rules and training.
  7. Follow-up: Close similar access gaps across roles and vendors; verify offboarding is watertight.

What to do this month: a 30-day insider risk checklist

  • Access reviews on all high-risk systems
  • JML automation turned on for HRIS and your Identity Provider (IdP)
  • Export and bulk-view logging with alerts
  • DLP pilot on email and cloud storage
  • Processor addendum with breach information schedule
  • Role-based refreshers booked
  • One tabletop drill with your leadership team
  • Validate your approach against the NCSC insider-exfiltration guidance

If you outsource checks or verification, you still carry the risk. Read out guide: Age verification and the UK GDPR in 2025: a plain-English SME guide. 

Other things you can do:

  • Get cover: Our Outsourced DPO service keeps these controls live, not just on a slide
  • Talk to us: email us hello@athlex.co.uk to find out how we can help you