At its core, the Act updates parts of the UK GDPR, the Data Protection Act 2018, and the framework for digital identity and Smart Data programmes. Taken together, these reforms are designed to support innovation, things like smoother onboarding, better access to services, or the ability to switch providers more easily, while still keeping strong safeguards for individuals and their personal information. For small organisations that often struggle with time and administrative burden, the latest changes include several improvements that should make compliance more practical and predictable.
One of the most welcome developments for SMEs is the clarification of how to handle Subject Access Requests (SARs). These requests, where an individual asks to see the personal data a business holds on them, are increasingly common, and can be disruptive if interpreted too broadly. The new rules confirm that organisations only need to carry out “reasonable and proportionate” searches, rather than exhaustive investigations across every system ever used. If a requester gives vague or extremely broad instructions, you can pause the deadline (“stop the clock”) while you ask for clarification.
This doesn’t reduce people’s rights, but it does put the process on a more practical footing. For small firms that might have a few legacy systems, staff email accounts or old spreadsheets still lingering in the background, the clarification should mean fewer unnecessary deep dives and a more balanced expectation on both sides.
Another important set of changes relates to automated decision making (ADM), for example, systems that accept or decline applications automatically. The February 2026 commencement brings in a new framework that is more flexible than the previous, tightly restricted rules, but still requires organisations to be transparent and fair. A business must tell someone when an automated system has made a significant decision about them, allow the person to respond or challenge the outcome, and provide a route to a human review if requested. Some SMEs already use automated tools in onboarding, verification or credit checking. These reforms don’t prevent those tools being used, they simply make the process clearer, both for organisations and the people affected. It is essentially a shift towards greater clarity rather than greater complexity.
A new lawful basis, “recognised legitimate interests”, now applies for a short list of activities that Parliament has accepted as inherently justifiable. This doesn’t throw the doors open for unfettered data use, but it does mean that certain important functions, such as safeguarding or public security, don’t require a business to run a full legitimate interest balancing test every time. For most SMEs, this is not a gamechanger, but it does ease the legal analysis for organisations that occasionally need to rely on these specific purposes.
For companies transferring data abroad, even something as simple as storing information with an overseas cloud provider, a simplified test for international transfers aims to reduce the legal complexity while maintaining protections.
The Information Commissioner’s Office (ICO) now has strengthened powers, including the ability to require reports, issue interview notices, and exercise broader enforcement rights. For small businesses, this doesn’t mean more aggressive regulation, rather, it highlights the importance of having your processes clear, documented and proportionate, especially around SARs, automated decisions and the use of cookies and tracking tools.
The next date to watch is 19 June 2026, when the new statutory complaints handling obligations come into force. This will formalise the expectation that organisations must have a clear, accessible process for people wishing to raise concerns about how their data is handled. For many SMEs, this may simply mean documenting the informal approach they already take, but ensuring it is visible, consistent and recorded.
If there is one theme running through the reforms, it is clarity. The law tries to bring rules closer to real world practice: acknowledging that SMEs don’t have armies of compliance staff, and that processes need to be workable, not theoretical. The February changes in particular help businesses avoid unnecessary administrative burden while still respecting people’s rights. For example, the clarified SAR rules should reduce the “fishing expedition” requests that take disproportionate time to deal with, while the ADM framework allows continued use of digital tools without uncertainty.
A short practical checklist
- Review how your business handles Subject Access Requests and document what “reasonable and proportionate” searches look like for your systems.
- Make sure any automated decisions include clear notices and a route to human review.
- Update privacy notices if you plan to rely on recognised legitimate interests.
- Add the 19 June 2026 complaints-handling requirement to your internal process notes.
- Keep an eye on FSB and ICO updates as the new powers bed in.
Remember there is lots of guidance and useful precedents on the topic of data protection on the FSB Legal and Business Hub. In addition, you can access our new step-by step guide as well as assess your business’s compliance with data protection law via our health-check.