More provisions from the Data (Use and Access) Act 2025 (DUAA) have gone live, which means a few more things to think about. But here’s the thing: good data practices aren’t just compliance. Data protection is one of those things that sounds dry and technical, but actually, it’s at the heart of how you build trust with your clients.
Let’s have a look at what this actually means for you.
Privacy notices: Where to start 🤔
DUAA 2025 clarifies the lawful grounds for processing personal data, including the introduction of "Recognised Legitimate Interests." For example, if you're sending a newsletter to your customers, the new category could allow this, as it benefits your business and the recipient has a reasonable expectation of receiving it.
If your privacy notice hasn’t been looked at in a while, now’s a good time to dust it off.
If your privacy notice hasn’t been looked at in a while, now’s a good time to dust it off.
Does it clearly explain how and why you handle personal information? Would your clients actually understand it?
Here’s what to focus on:
- Make your privacy notices clear and accessible. They should reflect what you actually do, so if you used a template or your business has added systems and updated processes since it was created, it will need a refresh to reflect what happens in practice.
- Document your lawful basis for every processing activity. Write down why you’re handling personal data, whether it’s consent, contract, legal obligation, or legitimate interest.
- Be transparent. Your clients want to know their data is being taken care of. A clear privacy notice is one of the simplest ways to show you mean it.
Automated decision-making: keep a human in the loop 🤝
Using AI to make decisions? You’re not alone. But DUAA 2025 now requires you to inform people when a decision is made by an automated system and to provide a way to request human oversight.
What this looks like in practice:
- Let people know when AI has made a decision.
- Give them a way to challenge it or ask for a human review.
- Make sure someone on your team is responsible for overseeing these processes and checking they’re fair.
Human oversight isn’t just a compliance tick. It’s how you avoid unfair outcomes and keep things fair for your clients.
DSARs: getting the balance right ⚖️
Data Subject Access Requests (DSARs) are part of GDPR and DUAA compliance. The good news? The latest updates introduce a “reasonable and proportionate” search requirement, which should make things a bit easier for small businesses.
A few things to check:
- Is your DSAR policy up to date? Does your team actually know how to follow it?
- Have you trained your staff to respond to DSARs efficiently and respectfully?
- Are you balancing people’s rights with what’s realistic for your business? You don’t need to turn the place upside down, but you do need to take it seriously.
When you update your privacy notices, build in human oversight, and get your DSAR processes sorted, you’re not just meeting legal requirements. You’re reinforcing the trust your clients already have in you. And that matters.
If this feels like a lot, we can help. We work with small businesses to review, refresh and even create documentation that makes sense for you and your clients. Book a discovery call and let's have a chat about your business needs. Let’s make compliance something you feel confident about, not something that keeps you up at night.
0 comments