Data changes for SMEs to know

As SME owners, staying abreast of key data changes means your business can operate better and avoid costly fines.

These are the data changes for you to know about this year, and they centre around a new law.

Data changes for SMEs to know about – a new law

The Data (Use and Access) Act 2025 is now UK law, which affects the country’s data protection laws. This new data-based law for SMEs to know about aims to make digital innovation and compliance easier for businesses while keeping privacy standards high.

Recognised legitimate interests

The introduction of recognised legitimate interests affects personal data processing.

Now, types of data processing which serve the public interest, including national security, preventing crime, emergency responses and safeguarding vulnerable people, are automatically permitted, and you won’t need to conduct a balancing test to assess business benefits versus individual rights.

However, if you’re not processing data for the above reasons, you will still need to conduct a Legitimate Interests Assessment (LIA) to ensure you aren’t harming individual rights.

Personal data

Before, you could only use personal data for the specific purpose it was originally collected for.

Under the new law, there’s a list of automatically compatible purposes, including crime prevention, emergencies, safeguarding vulnerable people, tax collection and scientific or historical research.

So, using personal data for the above reasons means you don’t need to do a separate compatibility assessment or seek additional permission.

Subject Access Requests

Rules on Subject Access Requests (SAR) have been simplified. Individuals can still request that your business reveal the personal data you hold about them, and you must effectively try to locate the data; however, search time doesn’t have to be excessive.

While the month timeframe remains in place for responding to requests, your business can now stop the clock if you need more information to verify the requester’s identity.

International data transfers

For international data transfers, the recipient country can now have adequate data protection standards rather than the same standards as the UK’s, which was the rule before. So, there’s now greater flexibility for businesses operating internationally.

Automated decisions

Business decisions can now be fully automated without the need for human involvement if they are minor, like customer service tasks. For anything more serious, individuals must be made aware that the decision was automated and can challenge it and request human involvement.

Data protection complaints

Businesses must now have an internal system for handling data protection complaints. Processes must be formalised, with a 30-day window for you to handle them.

Cookies updates

Explicit user consent is not needed for cookies used for security, functionality or website analytics. However, users must be informed and given an opt-out option.

Soft opt-ins for non-commercial firms

In direct marketing, the soft opt-in rule, when you can send marketing emails to those without direct consent, has been extended to non-commercial businesses like charities. Now, you can market to users who have recently engaged with you as long as there’s an opt-out option.

PECR fines increased

PECR (Privacy and Electronic Communications Regulations) fines for breaches, including for electronic marketing practices like emails and website cookies, have increased.

Now, the maximum penalty is up to £17.5 million, meaning compliance is even more important.

As most businesses operate digitally today, you must know about data changes to be compliant, but also to make your customers feel safer, happier and more trusting of your business.

See how our Digital solutions can help you run smarter.