Episode 61 - UK Data Protection Changes

Did someone forward this to you? If so, click to subscribe

📰 Top Story: Changes to UK Data Protection Law by Joe Gaunt

I recognise that data protection isn’t the sexiest subject for most people. 

Organisations are focused on making money and often view data protection as a hindrance. 

The sticking point with data protection compliance is that it leads to hefty fines, but the more important aspect is that it builds trust with customers. 

But there are several benefits to this new regulation organisations should realise to get the maximum use out of their data. 

This isn’t GDPR all over again; it is an evolution of UK privacy regulations that should help organisations do more with data. 

What has changed 

The Data Use and Access Act (DUAA) became law on June 19th 2025. 

The act has made some significant changes:

1. Adapts existing cookie laws 

2. Changes the rules around consent 

3. Alter the subject access request rules  

Cookies  

Cookie consent isn’t going away, but you no longer have to obtain permission for statistical cookies (i.e., tracking how many people visit your site) or those related to the user's personal preferences (i.e., what language or device they are using to access the site).

You still need to provide a mechanism for users to opt out of these cookies, but you are no longer required to obtain consent upfront. 

This should help you measure activity on your site compliantly and provide users with the best possible experience. 

Legitimate Interest for Direct Marketing 

Opt-in or opt-out? A question I've handled repeatedly. 

This new Act confirms that Direct Marketing can be done on an opt-out basis. 

You still need consent for sending emails, SMS, or telephone marketing unless you are benefiting from the ‘soft opt-in’ loophole. 

Subject Access Requests (SAR)

Have you ever had a problematic customer or former employee who requests all their data, regardless of where it is stored?

Over the years, I have reviewed thousands of documents, emails, and text messages to comply with someone requesting all of their data. 

Under new regulations, organisations only have to conduct a ‘reasonable search’ for data. 

Responding to SARs in a month can be challenging. 

Now you can legally stop the clock if you need more information from the requester. 

Final thoughts

This is a brief snapshot of the changes to the UK law. 

At its core, data protection is about protecting individuals from harm.  

Harm can come in different ways, but harm reduction is built on being transparent and giving people choice and control over how their data is used.

For help with privacy and data protection compliance, visit my website, connect on LinkedIn or email [email protected]  

Or if you want to dive deeper into the new regs, check out my blog on the subject.  

Cheers,

Joe

Quick word from Tom: Thank you to Joe for penning episode 61!  Data protection is critical to effective (and legal) CRM Marketing, and compliance is essential to building relationships with customers. The new law introduces several significant changes that represent an improvement over the previous position for brands. 

Until next week, 

Tom 

Do you need help with Customer Retention?

When you are ready, contact me to discuss consulting, my fast-track retention accelerator, courses, and training. Or if you are interested in sponsoring this newsletter, get in touch via [email protected]