We recently caught up with Paul Strout, Managing Director of GDPR Assist, to get his take on what the Data (Use & Access) Act 2025 means for businesses. In this guest blog, he breaks down the key changes to UK GDPR and what your organisation should be doing now to stay on top of its compliance obligations.

May 25th will be the 8th anniversary of the implementation of GDPR across the EU, which at the time also included the UK.  Following the UK’s exit from the EU, GDPR was part of retained legislation in a modified UK specific form and became UK GDPR, and last year saw the first significant set of changes to UK GDPR, The Data Protection Act 2018 and also PECR (Privacy & Electronic Communication Regulations) with the passing of the Data (Use & Access) Act 2025 (“DUAA”).

The majority of the modifications within DUAA are relatively modest, however there are a few aspects which are worth consideration to ensure that you are on top of your compliance obligations:

Subject Access Requests (SARs) 

People are entitled to ask your organisation for a copy of their personal data you process, together with details of how you process it.  Such Subject Access Requests are usually managed by collating the data you have, redacting those elements which don’t relate to the individual or for which specific exemptions apply, adding in copies of applicable Privacy Notices and then supplying the bundle to the individual.

Amongst our client base SARs were relatively infrequent, but always caused some significant organisational stress and usually resulted in further correspondence from the individual claiming that the range of data weren’t complete.  We have now seen a significant upturn in the volume of SARs, especially from individuals using AI (LLMs) to generate somewhat intimidating looking demands.

The DUAA includes some helpful changes to the degree of searching that organisations are obligated to undertake, which is now restricted to being a “reasonable and proportionate” search of company records rather than a presumption that all personal data must be provided (thus requiring a much more exhaustive search).  In addition, if you ask the individual for clarification on the scope / range of data they require then you can pause the clock until they respond (you normally have 1 month from validating the initial request – plus an extra 2 months if the request is complex or you are dealing with a large number of them).

Top tips:  understand what exemptions might apply (not all personal data need be disclosed), understand your timeframe, redact other people’s data effectively so that the requester cannot retrieve it, send the bundle securely (password protected, ideally via encrypted email).  The ICO website has some really helpful guidance on managing SARs.

Data Protection Complaints

The DUAA introduced some organisational obligations regarding the management of data protection complaints.  Whilst individuals do have the right to lodge a complaint with the regulator, the ICO, they will be advised to attempt to resolve the matter directly with the organisation prior to the ICO accepting the complaint directly.

Hence organisations must now have a viable policy for managing any such complaints they receive from individuals, acknowledge their receipt within 30 days, respond and resolve within a reasonable time and also maintain a log of any and all complaints received (copies of which may be requested by the ICO).

Top tips:  draft a policy for managing complaints, create a log and update your Privacy Notices to include details of the complaints process and timescales.  Again, the ICO has some helpful advice online.

Enforcement

The regulator continues to issue financial penalties for breaches of UK GDPR.  Historically these have been rather infrequent and, compared to similar European regulators, the ICO has been somewhat reluctant to use this power in all but the most egregious cases.  The last year has seen an upturn in the frequency of fines being issued but it remains to be seen whether the ICO is now more committed to monetary penalties as an enforcement tool.

However, the ICO has always been, and continues to be, very much more pro-active in issuing fines for breaches of PECR – usually relating to unlawful digital direct marketing or cold calling.  Fines for PECR infringements were previously limited to £500k maximum, but the DUAA has changed that to align the maximum penalty with UK GDPR – 4% of revenue or £17.5M, whichever is higher.  The ICO has been particularly focused on taking action against organisations whose marketing activities it views as being somewhat predatory and exploitative, nevertheless the risks of PECR breaches are real for all organisations and the stakes are now significantly higher.

Top tips:  revisit your direct marketing workflows, understand where consent is required, do NOT rely on vendors saying they supply “GDPR compliant data” (there’s no such thing).  Again, there’s helpful support on the ICO site.

If you would like any help with data protection compliance then please contact me at paul@gdprassist.co.uk.