If you run a small or medium-sized business, data protection probably sits somewhere near the bottom of your to-do list, somewhere between updating the website and fixing the printer. But right now, there are some very good reasons to move it a little higher up.
The rules have changed. Not dramatically, not overnight , but enough that if you haven’t looked at your data practices recently, there’s a real chance you’re already behind.
What’s Changed?
The Data (Use and Access) Act 2025 came into force earlier this year. Most of its key provisions are now live. The law doesn’t tear up the UK GDPR rulebook, but it does update it in ways that matter for day-to-day business.
The headline changes include:
- A new ‘recognised legitimate interests’ basis, which can reduce the paperwork involved in justifying certain types of data processing . This is a genuine help for smaller organisations.
- Clearer rules on Subject Access Requests (SARs), including the ability to pause the clock when you need more information to respond properly.
- Relaxed rules on automated decision-making, provided appropriate safeguards are in place.
- Bigger fines for cookie and electronic marketing breaches , now up to £17.5 million or 4% of global turnover.
The Deadline You Can’t Miss: June 2026
Here’s the one to put in your diary. By 19 June 2026, every organisation that handles personal data must have a formal complaints process in place.
This means:
- A clear way for individuals to raise a data protection concern with you directly.
- An obligation to acknowledge complaints within 30 days.
- A requirement to communicate the outcome of your investigation.
Under the new rules, people must come to you first before they can escalate to the ICO. That’s actually good news, but only if you’re ready to handle it.
“If someone has a concern about how you’ve handled their data, you now get the first opportunity to put it right. That’s a real chance to protect your reputation, but you need a process in place to do it.”
Why This Matters More Than You Might Think
The ICO recently issued its largest ever fine, £14 million to Capita, following a cyber breach affecting millions of people. While that scale of fine is aimed at larger organisations, the underlying failures (poor security practices, slow incident response) are just as common in smaller businesses.
The ICO has also signalled it’s stepping up enforcement on cookie compliance, with increased fines now matching UK GDPR levels. If your website uses a cookie banner, or should but doesn’t, this is worth reviewing.
Three Things to Do This Month
- Check your privacy notice and records of processing . Ask yourself, do they reflect how you actually use data today?
- Start building your complaints handling process ahead of the June 2026 deadline.
- Review your website’s cookie banner and marketing consent practices.
Need a hand getting your house in order?
Data protection doesn’t have to be complicated, but it does need to be done properly. We work with SMEs to make compliance straightforward, practical, and proportionate to the size of your business.
Get in touch for a no-obligation conversation about where your business stands.