Navigating the Data (Use and Access) Act 2025: What UK Charities and SMEs Need to Know

As digital transformation accelerates across the charity and SME sectors, the UK’s new Data (Use and Access) Act 2025 introduces pivotal changes to data protection law that organisations must understand to remain compliant and build trust.

 

Why This Matters

Charities and SMEs often handle sensitive personal data; from donor details to service user records—yet many operate with limited resources. The 2025 Act aims to simplify compliance while enhancing protections, offering both opportunities and responsibilities for smaller organisations.

 

Key Changes Affecting Charities and SMEs

Recognised Legitimate Interests

Organisations can now process data for safeguarding, crime prevention, and emergency disclosures without conducting a full balancing test 

Soft Opt-In for Marketing

Charities can now use the soft opt-in for electronic marketing to supporters if their details were collected with prior interest after the Act comes into force, the contact furthers charitable purposes only, and supporters always get a clear opt-out option.

Proportional Data Access Requests

SMEs and charities are only required to conduct “reasonable and proportionate” searches when responding to data subject access requests, easing administrative burdens.

Automated Decision-Making

The Act relaxes restrictions on automated decisions, allowing more flexibility, especially useful for resource-limited organisations using digital tools.

Complaints Handling Reform

Organisations must now offer internal complaints procedures before issues escalate to the Information Commission.

 

Practical Steps for Compliance

Update Privacy Notices

This is so they reflect new lawful bases and marketing practices.

Review Data Collection Forms

This is to ensure opt-out options are clearly presented.

Train Staff

This is so they understand the correct approaches for handling access requests and complaints under the new rules.

Audit Automated Systems

Audit Automated Systems ensure safeguards are in place.

 

Frequently Asked Questions

 

Q: Can my charity now send fundraising emails without prior consent?

Yes, if the recipient previously showed interest and you provide an opt-out option.

 

Q: What does “reasonable and proportionate” mean for access requests?

You’re no longer expected to search every system exhaustively—just those likely to contain relevant data.

 

Q: Does this affect GDPR compliance?

The Act aligns with UK GDPR but introduces UK-specific flexibilities. EU data sharing adequacy remains under review.

 

Q: What if we don’t have a complaints process?

You must implement one to handle data protection concerns before they reach regulators.

 

If you would like to learn more about how GRC Hub can support your Data Protection and Cybersecurity programme with our specialist GRC, GDPR and Cybersecurity support services, please contact us at hello@grc-hub.co.uk or by phone on 0113 532 7830.