UK Data Protection Rules Just Changed. What SMEs Actually Need to Know

On 5 February 2026, most of the UK’s long-awaited data protection reforms finally came into force under the Data (Use and Access) Act 2025. For many small and medium-sized organisations, this passed almost unnoticed.

That would be a mistake.

These changes quietly reshape how SMEs can use data, deploy automation and AI, respond to complaints, and deal with the ICO. Some areas are more flexible than before. Others raise expectations, particularly around governance and accountability.

This is not about panic or wholesale compliance overhauls. It is about understanding what has genuinely changed, and where inaction now carries more risk than it did six months ago.

A quick snapshot of what changed in February 2026

From 5 February 2026, most of the data protection and privacy reforms in Part 5 of the Act are live. A smaller number of provisions, including a new statutory complaints procedure, will follow in June.

In short:

  • Some data uses are now easier to justify
  • Automated decision-making is more openly permitted, but more tightly governed
  • Organisations have clearer grounds to refuse abusive data requests
  • Children’s data protection expectations have increased
  • The ICO has stronger investigatory powers

Each of these matters more to SMEs than it might first appear.

Lawful bases and recognised legitimate interests

One of the most talked-about changes is the introduction of recognised legitimate interests as a new lawful basis under UK GDPR.

What this means in practice

Certain clearly defined activities, such as safeguarding, crime prevention, and some public-interest disclosures, no longer require a formal Legitimate Interests Assessment. The balancing test is effectively pre-approved by law.

For SMEs, this reduces paperwork in specific scenarios, but it does not remove the need for care.

Why SMEs should not over-simplify this

Many smaller organisations already lean heavily on “legitimate interests” without much structure. This change does not turn legitimate interests into a catch-all justification.

If anything, it increases the expectation that you:

  • Know why you are using data
  • Can point to the correct lawful basis
  • Can explain that choice clearly if asked

This is about precision, not freedom to be vague.

Automated decision-making and AI tools

This is the most important change for modern SMEs, and the one most likely to be misunderstood.

The old prohibition on “solely automated decision-making” has been replaced with a broader, more permissive framework. Automated decisions are allowed, provided there is a lawful basis and appropriate safeguards.

Why this matters for SMEs specifically

Many SMEs already use automation without thinking of it as automated decision-making, for example:

  • CRM systems that score or prioritise leads
  • AI tools that screen CVs or recommend candidates
  • Automated pricing, eligibility, or credit checks
  • AI systems that generate recommendations which staff usually follow

Under the new framework, these uses are not banned. But they must be understood and governed.

What the law now expects

Individuals have clearer rights to:

  • Meaningful human review of significant decisions
  • Express their point of view
  • Challenge outcomes that affect them

For SMEs, this does not require complex AI ethics frameworks. It does require awareness. If a system influences decisions about people, you should know where that influence comes from and how it can be questioned.

Subject access requests and “vexatious” claims

SMEs have long struggled with subject access requests that are clearly abusive, excessive, or designed to cause disruption.

The updated rules clarify when organisations can:

  • Refuse to respond
  • Charge a reasonable fee
  • Limit the scope of a response

The opportunity and the risk

This change helps SMEs, but only if handled carefully.

You still need to justify why a request is excessive or vexatious. A refusal without reasoning simply creates a new problem. The bar is clearer, not lower.

Children’s data and online services

Another area SMEs often underestimate is children’s data.

If your product, service, or online content is likely to be accessed by under-18s, you are now expected to explicitly account for children’s higher protection needs in your design and default settings.

This is broader than many expect

This is not limited to schools, edtech, or social media platforms. It can affect:

  • Apps
  • Websites
  • Digital services
  • Community platforms
  • Marketing tools

The focus is not just on consent, but on design choices, defaults, and how risks are mitigated for younger users.

Stronger ICO powers and what they mean for SMEs

One of the least discussed changes is the expansion of the ICO’s investigatory powers.

The ICO can now:

  • Compel individuals to attend interviews
  • Require organisations to commission independent technical reports at their own expense

Why this matters more than fines

For SMEs, the biggest cost of enforcement is often not the penalty. It is time, disruption, and management attention.

These powers increase the operational impact of investigations, even where no fine is ultimately issued. This raises the importance of basic governance and documentation.

What is still coming in June 2026

One significant obligation has not yet started.

From 19 June 2026, organisations will be required to have a formal data protection complaints procedure in place.

This will affect how SMEs:

  • Handle concerns before they escalate
  • Document complaints and outcomes
  • Demonstrate accountability to the ICO

This is not optional, and it is worth preparing for now rather than reacting later.

What SME owners and workers should do next

This is not a call for a full compliance overhaul. Most SMEs will not need one.

What is sensible, though, is to:

  • Review where automation or AI influences decisions about people
  • Update privacy notices to reflect current lawful bases
  • Make sure staff understand how to escalate data protection issues
  • Prepare for the June complaints procedure requirement
  • Brief senior leaders on the ICO’s expanded powers

Small, deliberate steps now reduce both risk and disruption later.

Final thought

The UK’s data protection reforms do not radically change the direction of travel. They do, however, quietly raise expectations.

For SMEs, the message is simple. You have more flexibility in how you use data, but less tolerance for not understanding your own systems.

Those who treat this as a practical governance update will be fine. Those who ignore it because “we’re too small” are taking a bigger gamble than they realise.