The Data (Use and Access) Act 2025 (DUAA), which took effect in February (2026), introduced major updates to UK data protection, aiming to make compliance more practical for organisations whilst still maintaining strong safeguards for individuals.
Data protection remains a key responsibility for businesses across the UK. With ongoing updates and refinements to legislation, it’s important to understand what’s changed and how these changes could affect your day-to-day operations.
A Shift Towards Practical Compliance
Recent UK data protection updates have focused on simplifying certain requirements, particularly for small and medium-sized businesses. While the foundations of UK GDPR still apply, there’s been a move towards reducing unnecessary administrative burden.
This means businesses may have more flexibility in how they demonstrate compliance, rather than following rigid processes. However, this doesn’t reduce responsibility. Organisations are still expected to handle personal data lawfully, transparently and securely.
For many businesses, this is an opportunity to review existing policies and ensure they’re both effective and proportionate.
Accountability Still Matters
Even with some simplification, accountability remains a core principle. Businesses must still be able to show how they collect, store and process personal data.
This includes maintaining clear records, understanding what data is held and ensuring it’s only used for legitimate purposes. Regular reviews of data handling processes can help identify gaps and reduce risk.
At Edmondson's, IT systems can be structured to support this, with secure storage, access controls and monitoring in place to keep data organised and protected.
Stronger Focus on Data Security
Cybersecurity continues to play a major role in data protection. With threats becoming more sophisticated, regulators expect businesses to take appropriate technical measures to safeguard information.
This includes using secure networks, keeping systems updated and implementing protections such as firewalls, encryption and multi-factor authentication. Staff awareness is also critical, as human error remains one of the most common causes of data breaches.
A proactive approach to IT support helps ensure these measures are maintained over time, rather than treated as a one-off task.
Managing Third-Party Risk
Many businesses rely on external providers for services such as cloud storage, payroll or customer management systems. Recent updates highlight the importance of understanding how these third parties handle data.
Businesses are still responsible for ensuring that any partner they work with meets the required standards. This means reviewing contracts, checking security measures and confirming that data is processed in line with UK regulations.
Working with trusted providers and maintaining clear agreements can help reduce potential risks.
Data Subject Rights Remain Key
Individuals continue to have strong rights over their personal data. This includes the right to access information, request corrections and in some cases ask for data to be deleted.
Businesses must have processes in place to respond to these requests within the required timeframes. Failing to do so can lead to complaints or penalties.
Clear internal procedures and well-organised data systems make it much easier to manage these requests efficiently.
What This Means for Your Business
For most organisations, the latest updates won’t require a complete overhaul of existing practices. Instead, they offer a chance to refine how data protection is managed.
Key areas to focus on include reviewing policies, strengthening security measures and ensuring staff understand their responsibilities. Even small improvements can make a significant difference in reducing risk.
At Edmondson's, businesses are supported with tailored IT solutions that align with current regulations. From secure infrastructure to ongoing monitoring and support, the aim is to make compliance straightforward and manageable.
