Navigating New GDPR Compliance Requirements and DUAA Law

What UK Small Businesses Need to Know About the new Digital Use and Access Act 2025 (DUAA) and AI

With the Data (Use and Access) Act 2025 (DUAA) receiving Royal Assent in June, UK businesses face a new era of data protection regulation. And small and medium-sized enterprises SMEs need to know the changes.

DUAA refines existing laws, such as the UK GDPR, the Data Protection Act 2018, and PECR. But far from overhauling everything, it aims to give organisations more clarity, while retaining strong safeguards. The Information Commissioner’s Office will implement the changes over the next 12 months.

Small business owners must consider the practical implications of these changes, particularly in light of the impact of AI and automation. Businesses can start taking steps now to stay compliant and confident.

New GDPR Compliance Requirements SMEs Need to Understand

Here are the most business-relevant updates from the DUAA 2025:

  1. Automated Decision-Making Gets the Green Light

Businesses can now use specific automated tools (like chatbots, loan eligibility AI, or auto-generated emails) without needing human sign-off at every turn.

  1. GDPR Cookie Policy Relaxed

For specific cookies used for service improvement, explicit consent may no longer be required.

  1. New Lawful Basis for Personal Information Protection

You may now process personal data based on a new “recognised legitimate interest.”

  1. Mandatory Data Protection Complaints Procedure

You’ll need a transparent and accessible way for customers to raise concerns about how their data is handled.

As Emma Shepherd, Founder of The AI Advantage Academy, explains:

“The DUAA opens the door to responsible AI adoption. If you’re using tools like ChatGPT, Copilot, or any form of customer-facing AI, now’s the time to review your use cases and make sure they align with the updated law.”

GDPR Update Action Plan for Small Businesses

  1. Review your current data policies – especially your cookie banners and AI tools.
  2. Create or refine a complaints procedure – related to data use.
  3. Train your team – basic awareness now prevents issues later.
  4. Map your business processes and identify where data is processed – make sure it’s documented.

Enrol in the Mini MBA in AI for Business

This September, join our Mini MBA in AI. This 10-week course guides learners through the eight critical pillars of AI integration, including the role of data and business process mapping.

Find out more here aiadvantageacademy.co.uk

To stay updated on the ICO’s rollout of new laws, subscribe to their newsletter here.

Scroll to Top