{"id":30540,"date":"2026-06-25T10:41:04","date_gmt":"2026-06-25T09:41:04","guid":{"rendered":"https:\/\/www.sage.com\/en-gb\/blog\/?p=30540"},"modified":"2026-06-25T10:42:42","modified_gmt":"2026-06-25T09:42:42","slug":"data-use-and-access-act-2025-need-to-know","status":"publish","type":"post","link":"https:\/\/www.sage.com\/en-gb\/blog\/data-use-and-access-act-2025-need-to-know\/","title":{"rendered":"UK data protection changes in 2026: What businesses must do now"},"content":{"rendered":"<header class=\"entry-header has-dark-background-color entry-header--standard entry-header--has-illustration entry-header--has-illustration--standard\">\n\t<div class=\"container\">\n\t\t<div class=\"entry-header__row row align-center\">\n\t\t\t<div class=\"col col-lg-7 col-xlg-6 entry-header__content\">\n\t\t\t\t\t\t\t<div class=\"component component-single-header\">\n\t\t\t\t\t\t\t\t\t\t<div class=\"entry-header__misc text--subtitle text--uppercase text--small\">\n\t\t\t\t\t\t\t<a href=\"https:\/\/www.sage.com\/en-gb\/blog\/category\/strategy-legal-operations\/\" class=\"entry-header__link\">Strategy, Legal &amp; Operations<\/a>\t\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t<div class=\"entry-title-wrapper\">\n\t\t\t\t\t<h1 class=\"entry-title\">\n\t\t\t\t\t\tUK data protection changes in 2026: What businesses must do now\t\t\t\t\t<\/h1>\n\t\t\t\t<\/div>\n\n\t\t\t\t\t\t\t\t\t<p class=\"entry-header__description\">\n\t\t\t\t\t\tThanks to the DUAA, the UK&#8217;s data protection rules have undergone a post-Brexit and post-GDPR refresh, with big changes as of June 2026. Here&#8217;s your crash course.\t\t\t\t\t<\/p>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t<\/div>\n\n\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/div>\n\t\t<div class=\"single-post-details container\">\n\t\t<div class=\"col\">\n\t\t\t<span class=\"posted-on \">Published <time class=\"entry-date published\" datetime=\"2026-06-25T10:41:04+01:00\">25 June, 2026<\/time><\/span><span class=\"reading-time\"> min read<\/span>\n\t\t<button\n\t\t\ttype=\"button\"\n\t\t\tclass=\"social-share-button button button--icon button--secondary js-social-share-button\"\n\t\t\tdata-share-title=\"UK data protection changes in 2026: What businesses must do now\"\n\t\t\tdata-share-url=\"https:\/\/www.sage.com\/en-gb\/blog\/data-use-and-access-act-2025-need-to-know\/\"\n\t\t\tdata-share-text=\"Please read this interesting article\"\n\t\t>\n\t\t\t<span class=\"social-share-button__share-label\">Share<\/span>\n\t\t\t<span class=\"social-share-button__copy-label\" hidden>Copy Link<\/span>\n\t\t\t<span class=\"social-share-button__copy-tooltip\" aria-hidden=\"true\" hidden>Copied<\/span>\n\t\t<\/button>\n\n\t\t\t\t<\/div>\n\t<\/div>\n\t<\/header>\n\n\n\n<div class=\"wp-block-post-author has-dark-background-color alignfull\">\n\t<div class=\"container\">\n\t\t<div class=\"col\">\n\t\t\t\t\t\t\t<div class=\"co-authors\">\n\t\t\t\t\t\n\t\t<div class=\"entry-author-wrapper\">\n\t\t\t<a class=\"entry-author\" href=\"https:\/\/www.sage.com\/en-gb\/blog\/author\/keirthomasbryant\/\">\n\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"40\" height=\"40\" src=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2025\/06\/keir-short-hair-350x350.jpg\" class=\"entry-author__image\" alt=\"\" srcset=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2025\/06\/keir-short-hair-350x350.jpg 350w, https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2025\/06\/keir-short-hair.jpg 760w\" sizes=\"auto, (max-width: 40px) 100vw, 40px\" \/>\t\t\t\t<span class=\"entry-author__name\">Keir Thomas-Bryant<\/span>\n\t\t\t<\/a>\n\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n<section id=\"key-takeaways\" class=\"wp-block-sage-key-takeaways\"><div class=\"sage-key-takeaways__inner\"><h2 class=\"wp-block-heading has-h-3-font-size\">Key Takeaways<\/h2>\n<ul class=\"wp-block-list\">\n<li>The Data (Use and Access) Act 2025 updates UK data protection law, but does <strong>not replace UK GDPR or the Privacy and Electronic Communications Regulations<\/strong>, known as PECR.<\/li>\n\n\n\n<li>For the majority of smaller businesses, practices for <strong>cookie<\/strong>, <strong>marketing<\/strong>, <strong>Subject Access Requests (SAR), and automated decision-making<\/strong> may need refreshing.<\/li>\n\n\n\n<li>Data-focused businesses and enterprises <strong>may require more significant work to understand the changes and remain compliant<\/strong>, if they haven&#8217;t already put this in place.  <\/li>\n\n\n\n<li>Every organisation <strong>must have a route for people to make data protection complaints<\/strong>.<\/li>\n<\/ul>\n<\/div><\/section>\n\n\n<p>The Data (Use and Access) Act 2025, often shortened to DUAA, is the first major UK-specific reshaping of data protection since the introduction of the <a href=\"https:\/\/www.sage.com\/en-gb\/blog\/gdpr-12-important-things\/\" target=\"_blank\" rel=\"noreferrer noopener\">GDPR in 2018<\/a>, and Brexit in 2020.<\/p>\n\n\n\n<p>It amends the UK GDPR legislation, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations, known as PECR. It has been switched on in stages after becoming law in 2025, with June 2026 marking the final major phase of the core data protection changes.<\/p>\n\n\n\n<p>But don&#8217;t panic if this is the first time you&#8217;re hearing about it. This definitely isn&#8217;t GDPR all over again. <\/p>\n\n\n\n<p>For most businesses outside of enterprises, data-heavy industries, and specialist scientific operations, it&#8217;s more about focused policy-and-process review\u2014and some colleague education.<\/p>\n\n\n\n<p>Here&#8217;s what we discuss in this article, which is non-exhaustive and should not be considered a substitute for seeking legal advice specific to your business and situation:<\/p>\n\n\n<?xml encoding=\"utf-8\" ?><div class=\"wp-block-yoast-seo-table-of-contents yoast-table-of-contents\"><ul><li><a href=\"#h-what-s-changed-with-data-protection-for-businesses-as-of-2026\" data-level=\"2\">What&#8217;s changed with data protection for businesses as of 2026?<\/a><\/li><li><a href=\"#h-the-2-new-obligations-complaints-and-children-s-data\" data-level=\"2\">The 2 new obligations: Complaints, and children&rsquo;s data<\/a><ul><li><a href=\"#h-complaints-under-the-duaa\" data-level=\"3\">Complaints under the DUAA<\/a><\/li><li><a href=\"#h-children-must-be-taken-into-account-under-the-duaa\" data-level=\"3\">Children must be taken into account under the DUAA<\/a><\/li><\/ul><\/li><li><a href=\"#h-marketing-and-cookies-privacy-and-electronic-communications-regulations-pecr-changes-in-the-duaa\" data-level=\"2\">Marketing and cookies: Privacy and Electronic Communications Regulations (PECR) changes in the DUAA<\/a><\/li><li><a href=\"#h-subject-access-request-sar-changes-in-the-duaa\" data-level=\"2\">Subject Access Request (SAR) changes in the DUAA<\/a><\/li><li><a href=\"#h-other-changes-under-the-duaa\" data-level=\"2\">Other changes under the DUAA<\/a><\/li><li><a href=\"#h-the-ico-now-has-upgraded-enforcement-powers-and-penalties\" data-level=\"2\">The ICO now has upgraded enforcement powers and penalties<\/a><\/li><li><a href=\"#h-what-businesses-should-do-right-now-for-the-duaa\" data-level=\"2\">What businesses should do right now for the DUAA<\/a><\/li><li><a href=\"#h-frequently-asked-questions\" data-level=\"2\">Frequently asked questions<\/a><\/li><\/ul><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-s-changed-with-data-protection-for-businesses-as-of-2026\">What&#8217;s changed with data protection for businesses as of 2026?<\/h2>\n\n\n\n<p>For most small businesses, the DUAA means you still need to use personal information fairly, lawfully, and transparently. You still need to keep it secure. You still need to respond to people\u2019s rights. <\/p>\n\n\n\n<p>But you may need to update how you explain, document and manage those responsibilities.<\/p>\n\n\n\n<p>First, some brief history.<\/p>\n\n\n\n<p>The DUAA became law in June 2025 and had a staged rollout over the following 12 months.<\/p>\n\n\n\n<p>Some of its changes have made headline news because they affect UK individuals. <\/p>\n\n\n\n<p>For example, the digital identity measures came into effect on 1 December 2025. The deepfake intimate-image offence came in on 6 February 2026. <\/p>\n\n\n\n<p>But from a business perspective, the big compliance items came into effect as follows: <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>5 February 2026<\/strong>: Clearer rules for using data in research, a new list of \u201crecognised legitimate interests\u201d that don\u2019t need a balancing test, more flexibility around automated decision-making, a lighter touch on certain cookies, and confirmation that subject access request searches only need to be \u201creasonable and proportionate.\u201d<\/li>\n\n\n\n<li><strong>19 June 2026<\/strong>: Mandatory data protection complaints handling.<\/li>\n\n\n\n<li><strong>23 June 2026<\/strong>: The updated data protection enforcement rules and aligned penalty scales are officially active.<\/li>\n<\/ul>\n\n\n\n<p>Let&#8217;s dig into all of this, beginning with the most important changes for the average smaller business.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-2-new-obligations-complaints-and-children-s-data\">The 2 new obligations: Complaints, and children\u2019s data<\/h2>\n\n\n\n<p>Two changes are genuinely new duties.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-complaints-under-the-duaa\">Complaints under the DUAA<\/h3>\n\n\n\n<p>First, you must now give people a clear way to complain to you directly about how you handle their personal data. <\/p>\n\n\n\n<p>Essentially, the law now expects organisations to provide a simpler route for people to raise data protection complaints directly with them before matters escalate to the Information Commissioner&#8217;s Office (ICO).<\/p>\n\n\n\n<p>This way to complain to your business could be an electronic complaints form, or a monitored email address, as just two examples.<\/p>\n\n\n\n<p>What&#8217;s more, you have to acknowledge the complaint within 30 days and respond without undue delay, keeping a record of what you did.<\/p>\n\n\n\n<p>While there isn&#8217;t a hard legislative deadline for the final response, the ICO expects matters to be resolved promptly, with best practice suggestions from experts and those involved intimately in data protection suggesting you should aim to conclude within three months.<\/p>\n\n\n\n<p>The legislation says that complaints should be able to arrive by any channel and might not use the words \u201cdata protection,\u201d so frontline staff could need to be educated in order to recognise them.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-children-must-be-taken-into-account-under-the-duaa\">Children must be taken into account under the DUAA<\/h3>\n\n\n\n<p>The second obligation is that, if you run an online service likely to be used by children, you must explicitly take their needs into account when deciding how to use their data. <\/p>\n\n\n\n<p>If you already follow the ICO\u2019s <a href=\"https:\/\/ico.org.uk\/for-organisations\/uk-gdpr-guidance-and-resources\/childrens-information\/childrens-code-guidance-and-resources\/age-appropriate-design-a-code-of-practice-for-online-services\/\" target=\"_blank\" rel=\"noreferrer noopener\">Age appropriate design code<\/a>, you\u2019re largely there. If not, it&#8217;s the best place to start.<\/p>\n\n\n\n<p>The code is built around 15 flexible standards that set expectations rather than banning or prescribing specific practices, and its key practical points are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Settings must be &#8220;high privacy&#8221; by default, unless there&#8217;s a compelling reason not to.<\/li>\n\n\n\n<li>Only the minimum amount of personal data should be collected and retained.<\/li>\n\n\n\n<li>Children&#8217;s data should not usually be shared.<\/li>\n\n\n\n<li>Geolocation services should be switched off by default.<\/li>\n\n\n\n<li>&#8220;Nudge techniques&#8221; should not be used to encourage children to provide unnecessary personal data or to weaken or turn off their privacy settings.<\/li>\n<\/ul>\n\n\n\n<p>The code also addresses parental controls and profiling.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-marketing-and-cookies-privacy-and-electronic-communications-regulations-pecr-changes-in-the-duaa\">Marketing and cookies: <strong>Privacy and Electronic Communications Regulations<\/strong> (PECR) changes in the DUAA<\/h2>\n\n\n\n<p>There\u2019s helpful flexibility when it comes to PECR changes. <\/p>\n\n\n\n<p>Some lower-risk cookies, such as those used purely for website analytics or to remember a user\u2019s preferences, can now be set without consent\u2014provided you\u2019re transparent and offer an opt-out.<\/p>\n\n\n\n<p>This is an attempt to cut down on &#8220;cookie banner fatigue&#8221;, so that the user isn&#8217;t bothered quite as much with permission requests upon first visiting a site or other digital asset.<\/p>\n\n\n\n<p>Advertising and tracking cookies still need consent, though, so your banner should keep \u201creject\u201d as easy to find as \u201caccept\u201d if you&#8217;re using the likes of Google AdSense or Analytics.<\/p>\n\n\n\n<p>Charities gain a new \u201csoft opt-in,\u201d letting them email people who have supported or shown interest in their work, unless those people object. Commercial organisations have had this for some time, so this is simply aligning charities with other kinds of business. This is considered a good thing for them, allowing them to send direct marketing to existing supporters who have expressed interest in their causes, greatly simplifying fundraising outreach.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-subject-access-request-sar-changes-in-the-duaa\">Subject Access Request (SAR) changes in the DUAA<\/h2>\n\n\n\n<p>Handling Subject Access Requests (SARs) has become much more manageable for small businesses, thanks to two common-sense changes. <\/p>\n\n\n\n<p>First, the law officially codifies a &#8220;reasonable and proportionate&#8221; search standard. This legally confirms that you do not have to conduct an exhaustive, &#8220;leave no stone unturned&#8221; hunt through every backup server or deleted item for personal data. You just need to make a well-documented, reasonable effort. <\/p>\n\n\n\n<p>Second, the Act introduces a helpful &#8220;stop the clock&#8221; provision. If a request is vague, you can pause the standard one-month response deadline while you ask the individual for clarification, and the countdown only resumes once they provide the details you need. <\/p>\n\n\n\n<p>Combined with a brand-new statutory exemption for legal professional privilege (meaning you never have to accidentally hand over confidential correspondence between your business and its legal team), these updates protect small teams from being buried under weaponised SARs from activists, or overly burdensome admin traps.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-other-changes-under-the-duaa\">Other changes under the DUAA<\/h2>\n\n\n\n<p>The following changes might not affect all businesses but are worth reading through to check against what you do day-to-day:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Commercial research and development is officially &#8220;scientific research&#8221;<\/strong>: Under the old framework, there was a lingering misconception that &#8220;scientific research&#8221; only applied to universities or public health bodies. The DUAA clears this up by introducing a wide statutory definition: scientific research is any research that can reasonably be described as scientific, whether it is publicly or privately funded, and whether it is carried out as a commercial or non-commercial activity. What&#8217;s more, it introduces a broad consent concept, where you can ask individuals to consent to a generalised area of research, rather than many specifics.<\/li>\n\n\n\n<li><strong>Legitimate Interest Assessments (LIAs)<\/strong>: The DUAA introduces &#8220;recognised legitimate interests&#8221; for activities like crime prevention, safeguarding vulnerable individuals, or public emergencies. If you share data with authorities for these specific reasons, you no longer need to complete a complex balancing test document.<\/li>\n\n\n\n<li><strong>Automated Decision-Making (ADM) policies<\/strong>: Do you use algorithmic software or AI tools to make automatic, significant decisions about people without human intervention (such as automated CV screening for jobs or automated credit checks)? In the DUAA, the strict prohibition on ADM has been lifted for non-sensitive data, but you must still provide clear transparency and a meaningful path for the applicant to request a manual human review if they want to contest the result.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-ico-now-has-upgraded-enforcement-powers-and-penalties\">The ICO now has upgraded enforcement powers and penalties<\/h2>\n\n\n\n<p>The Information Commissioner\u2019s Office (ICO) now has stronger enforcement powers should it need it. This includes the ability to compel a witness to attend an interview (e.g. forcing an individual in a business to explain practices), and to require organisations to produce reports (at the expense of the business). <\/p>\n\n\n\n<p>There are some potential financial changes, too. ICO fines under PECR, which cover cookies and electronic marketing, now align with UK GDPR levels, reaching up to \u00a317.5 million or 4% of global turnover in the most serious cases. This is up from the old \u00a3500,000 cap.<\/p>\n\n\n\n<p>The practical takeaway is that marketing and cookie compliance now carries the same level of risk as the rest of your data handling. This may affect any business indemnity insurance for data protection.<\/p>\n\n\n\n<p>From the ICO&#8217;s perspective, this is all part of it transitioning into a new Information Commission-style structure with modernised enforcement capabilities.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-businesses-should-do-right-now-for-the-duaa\">What businesses should do right now for the DUAA<\/h2>\n\n\n\n<p>For most smaller organisations, a focused review of your existing data protection documentation and measures will likely be necessary, along with awareness sessions for colleagues. <\/p>\n\n\n\n<p>Here are some non-comprehensive suggestions to sense check and review, as well as educate your wider team:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Privacy notices:<\/strong> Update the wording on your website privacy policy to clearly signpost how an individual can lodge a data protection complaint directly with you.<\/li>\n\n\n\n<li><strong>Complaints procedures:<\/strong> Document an internal process so that whoever monitors your customer service channels or generic email inboxes knows how to identify a data complaint, log it, and trigger the 30-day acknowledgement.<\/li>\n\n\n\n<li><strong>Subject Access Request (SAR) handling:<\/strong> Train your team on the updated standard. <\/li>\n\n\n\n<li><strong>Cookie practices:<\/strong> Audit your website&#8217;s cookies policies. If you are only using them for basic analytics and page functionality, you may be able to streamline or completely remove your cookie banner.<\/li>\n\n\n\n<li><strong>Legitimate Interest Assessments (LIAs):<\/strong> If you share data with authorities for these specific reasons, you no longer need to complete a complex balancing test document. Ensure this is documented and those handling LIAs know what to do.<\/li>\n\n\n\n<li><strong>Automated Decision-Making (ADM) policies:<\/strong> The strict prohibition on ADM has been lifted for non-sensitive data, but you must still provide clear transparency and a meaningful path for the applicant to request a manual human review if they want to contest the result. Ensure this is documented, and colleagues know what to do.<\/li>\n<\/ul>\n\n\n\n<p>If you feel you might need outside help, then get it. Don&#8217;t leave anything to chance or leave any area shrouded in ambiguity.<\/p>\n\n\n\n<p>But for many businesses, the above should genuinely complete the necessary work. Like we said earlier, the DUAA is not GDPR 2.0. <\/p>\n\n\n\n<p>If you\u2019re a more data-driven organisation, or a larger one, the changes might run deeper and you\u2019ll want specialist support\u2014though if that\u2019s you, the chances are you\u2019ve already got this completed or at least underway by the time you&#8217;re reading this article.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Final thoughts<\/h2>\n\n\n\n<p>The Data (Use and Access) Act is a sensible modernisation of rules you already follow. <\/p>\n\n\n\n<p>For most smaller businesses, the work is targeted: review a few key policies, set up a proper complaints route, and tidy up your cookie practices. <\/p>\n\n\n\n<p>Do that now, while the changes are fresh, and you can treat compliance as a quick tune-up rather than a scramble later. <\/p>\n\n\n\n<p>If in doubt, the <a href=\"https:\/\/ico.org.uk\/about-the-ico\/what-we-do\/legislation-we-cover\/data-use-and-access-act-2025\/\" target=\"_blank\" rel=\"noreferrer noopener\">ICO\u2019s guidance<\/a> is free, plain-English and a good place to sense-check what you\u2019ve done.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-frequently-asked-questions\">Frequently asked questions<\/h2>\n\n\n\n<div class=\"schema-faq wp-block-yoast-faq-block\"><div class=\"schema-faq-section\" id=\"faq-question-1782230446887\"><strong class=\"schema-faq-question\">Does the Data (Use and Access) Act 2025 replace UK GDPR?<\/strong> <p class=\"schema-faq-answer\">No. It amends UK GDPR, the Data Protection Act 2018, and PECR rather than replacing them. The core principles and most of your existing obligations stay the same. But you will need to review and possibly modify some areas of your business with regard to data usage\u2014from documentation, to colleague education.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1782230461405\"><strong class=\"schema-faq-question\">When did the data protection changes come into force?<\/strong> <p class=\"schema-faq-answer\">The main reforms took effect on 5 February 2026, and the new duty to handle data protection complaints applies from 19 June 2026.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1782230493500\"><strong class=\"schema-faq-question\">What is the new data protection complaints requirement?<\/strong> <p class=\"schema-faq-answer\">You must give people a clear way to complain directly about how you use their data, acknowledge any complaint within 30 days, and respond without undue delay\u2014keeping a record throughout.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1782230513525\"><strong class=\"schema-faq-question\">Do I still need a cookie consent banner?<\/strong> <p class=\"schema-faq-answer\">It&#8217;s likely you will. Some analytics and functionality cookies no longer need consent, but advertising and tracking cookies still do, so a compliant banner with an easy \u201creject\u201d option remains essential.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1782230531005\"><strong class=\"schema-faq-question\">How much can my business be fined under the DUAA new data protection rules?<\/strong> <p class=\"schema-faq-answer\">Fines under PECR now match UK GDPR levels\u2014up to \u00a317.5 million or 4% of global annual turnover, whichever is higher\u2014replacing the previous \u00a3500,000 cap.<\/p> <\/div> <\/div>\n\n\n\n<div class=\"single-cta\">\n\t<div class=\"single-cta__positioner\">\n\t\t<div class=\"single-cta__wrapper has-dark-background-color\">\n\t\t\t<div class=\"single-cta__content\">\n\t\t\t\t\t\t\t\t<h2 class=\"single-cta__title h3\">Let the AI take the admin strain<\/h2>\n\n\t\t\t\t\t\t\t\t\t<div class=\"single-cta__description\">\n\t\t\t\t\t\t<p><!-- wp:paragraph --><\/p>\n<p>Sage Sole Trader Free means Sage Copilot takes the admin off your plate\u2014so you can get back to the work that pays. And it doesn&#8217;t cost you anything.<\/p>\n<p><!-- \/wp:paragraph --><\/p>\n\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<a\n\t\t\t\t\t\thref=\"https:\/\/www.sage.com\/en-gb\/products\/sage-sole-trader\/features\/free-accounting-app\/\"\n\t\t\t\t\t\tclass=\"single-cta__button button button--primary\"\n\t\t\t\t\t\t\t\t\t\t\t\t\tid=\"cta-id-29904\"\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tdata-button-location=\"cta_box\"\n\t\t\t\t\t\t\t\t\t\t\t>Learn more<\/a>\n\t\t\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<img decoding=\"async\" width=\"1215\" height=\"810\" src=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2023\/09\/GettyImages-1366960612-1215x810.jpg\" class=\"single-cta__image\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2023\/09\/GettyImages-1366960612-1215x810.jpg 1215w\" sizes=\"auto, (min-width: 48em) 33vw, 100vw\" \/>\t\t\t<\/div>\n<\/div>\n\n\n<section class=\"more-topics alignfull has-grey-light-background-color wp-block-sage-post-topics\">\n\t<div class=\"container\">\n\t\t<div class=\"row\">\n\t\t\t<div class=\"col col-12 col-lg-4\">\n\t\t\t\t<h3 class=\"more-topics__title h2\">Browse more topics from this article<\/h3>\n\t\t\t<\/div>\n\t\t\t<div class=\"col col-12 col-lg-8\">\n\t\t\t\t<ul class=\"post-tags__list\">\n\t\t\t\t\t\t\t\t\t\t\t<li class=\"post-tags__item\">\n\t\t\t\t\t\t\t<a href=\"https:\/\/www.sage.com\/en-gb\/blog\/tag\/gdpr\/\" class=\"post-tags__link button button--secondary\">\n\t\t\t\t\t\t\t\tGDPR\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t\t\t<li class=\"post-tags__item\">\n\t\t\t\t\t\t\t<a href=\"https:\/\/www.sage.com\/en-gb\/blog\/tag\/security-fraud\/\" class=\"post-tags__link button button--secondary\">\n\t\t\t\t\t\t\t\tSecurity and fraud\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t\t<\/ul>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/div>\n<\/section>\n\n\n<div class=\"alignfull wp-block-sage-related-posts\">\n\t<section class=\"related-posts card-grid has-dark-background-color\">\n\t<div class=\"container\">\n\t\t\t\t\t<div class=\"row\">\n\t\t\t\t<div class=\"col\">\n\t\t\t\t\t<h2 class=\"related-posts__heading related-posts__heading--featured h1\">Explore more wisdom<\/h2>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\n\t\t\t<div class=\"row related-posts__featured\">\n\t\t\t\t<div class=\"col card-grid__item\">\n\t\t\t\t\t<article\n\t\tclass=\"card-post related-post related-post-0 post-30396 post type-post status-publish format-standard has-post-thumbnail hentry category-technology-innovation tag-ai tag-security-fraud business_type-small-business business_type-medium-sized-business industry-chemical industry-construction industry-distribution industry-ecommerce industry-entertainment industry-financial-services industry-food-beverage industry-healthcare industry-hr-and-people-management industry-manufacturing industry-non-profit industry-professional-services industry-saas industry-travel-hospitality card-post--is-clickable\"\n>\n\t<div class=\"card-post__media-wrapper\">\n\t\t<figure class=\"card-post__media\">\n\t\t\t\t\t\t\t<img decoding=\"async\" width=\"1214\" height=\"810\" src=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2023\/09\/GettyImages-842849562-1214x810.jpg\" class=\"card-post__image\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2023\/09\/GettyImages-842849562-684x384.jpg 684w, https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2023\/09\/GettyImages-842849562-768x513.jpg 768w, https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2023\/09\/GettyImages-842849562-1214x810.jpg 1214w\" sizes=\"auto, (min-width: 48em) 250px, (min-width: 30em) 100vw, 100vw\" \/>\t\t\t\n\t\t\t\n\t\t\t\t\t<\/figure>\n\t<\/div>\n\n\t<div class=\"card-post__content\">\n\t\t\t\t\t<div class=\"card-post__label\">Recommended<\/div>\n\t\t\n\t\t\t\t\t<div class=\"card-post__meta\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"card-post__meta-text\"><span class=\"posted-on \"><time class=\"entry-date published\" datetime=\"2026-06-18T10:05:03+01:00\">18 June, 2026<\/time><\/span><\/span>\n\t\t\t\t\t\t\t\t\t\t\t<span class=\"card-post__meta-text\"><span class=\"reading-time\">8 min read<\/span><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\n\t\t<p class=\"card-post__title h3\">\n\t\t\t\t\t\t\t<a\n\t\t\t\t\tclass=\"card-post__title-link\"\n\t\t\t\t\thref=\"https:\/\/www.sage.com\/en-gb\/blog\/cyber-security-and-ai-sage-idc-research\/\"\n\t\t\t\t>\n\t\t\t\n\t\t\tThe cyber maturity gap is no longer technical. It&#8217;s operational\n\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t<\/p>\n\n\t\t\n\t\t\t\t\t<p class=\"card-post__description\">\n\t\t\t\tAI is making cyber threats faster, cheaper and harder to spot. For businesses, the danger isn&#8217;t indifference\u2014it&#8217;s the gap between intention and ability to respond.\t\t\t<\/p>\n\t\t\n\t\t\t<\/div>\n\n\t<\/article>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t\n\t\t\t\t\t<div class=\"row related-posts__non-featured\">\n\t\t\t\t<div class=\"col col-12\">\n\t\t\t\t\t<h2 class=\"related-posts__heading related-posts__heading--more h4\">More on this Topic<\/h2>\n\t\t\t\t<\/div>\n\n\t\t\t\t\n\t\t\t\t\t<div class=\"col col-6 col-lg-3 card-grid__item\">\n\t\t\t\t\t\t<article\n\t\tclass=\"card-post related-post related-post-1 post-29356 post type-post status-publish format-standard has-post-thumbnail hentry category-technology-innovation category-trends-insights tag-ai tag-security-fraud business_type-small-business business_type-medium-sized-business business_type-accountants\"\n>\n\t\t\t<a\n\t\t\tclass=\"card-post__link\"\n\t\t\thref=\"https:\/\/www.sage.com\/en-gb\/blog\/ai-cyber-security\/\"\n\t\t\t\t\t>\n\t\t\t<figure class=\"card-post__media\">\n\t\t\t\t\t\t\t<img decoding=\"async\" width=\"684\" height=\"384\" src=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2022\/04\/GettyImages-1325899588-684x384.jpg\" class=\"card-post__image\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2022\/04\/GettyImages-1325899588-684x384.jpg 684w, https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2022\/04\/GettyImages-1325899588-768x432.jpg 768w, https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2022\/04\/GettyImages-1325899588-1440x810.jpg 1440w\" sizes=\"auto, (min-width: 48em) 250px, (min-width: 30em) 100vw, 100vw\" \/>\t\t\t\n\t\t\t\n\t\t\t\t\t<\/figure>\n\n\t\t\n\t\t\t\t\t<div class=\"card-post__meta\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"card-post__meta-text\"><span class=\"posted-on \"><time class=\"entry-date published\" datetime=\"2026-03-31T12:09:13+01:00\">31 March, 2026<\/time><\/span><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"card-post__meta-text\"><span class=\"reading-time\">1 min read<\/span><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\n\t\t<p class=\"card-post__title h5\">\n\t\t\tAI is accelerating familiar attacks: What\u2019s changing, and how leaders should respond\t\t<\/p>\n\n\t\t\t<\/a>\n\t\n\t\n\t\t\n\t\n\t<\/article>\n\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t<div class=\"col col-6 col-lg-3 card-grid__item\">\n\t\t\t\t\t\t<article\n\t\tclass=\"card-post related-post related-post-2 post-24797 post type-post status-publish format-standard has-post-thumbnail hentry category-strategy-legal-operations category-technology-innovation tag-cloud tag-security-fraud business_type-small-business business_type-accountants\"\n>\n\t\t\t<a\n\t\t\tclass=\"card-post__link\"\n\t\t\thref=\"https:\/\/www.sage.com\/en-gb\/blog\/turn-your-employees-into-cyber-security-champions\/\"\n\t\t\t\t\t>\n\t\t\t<figure class=\"card-post__media\">\n\t\t\t\t\t\t\t<img decoding=\"async\" width=\"684\" height=\"384\" src=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2022\/09\/Quiet-quitting-684x384.jpg\" class=\"card-post__image\" alt=\"Working on employee performance and goals\" loading=\"lazy\" srcset=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2022\/09\/Quiet-quitting-684x384.jpg 684w, https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2022\/09\/Quiet-quitting-768x512.jpg 768w, https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2022\/09\/Quiet-quitting-1215x810.jpg 1215w\" sizes=\"auto, (min-width: 48em) 250px, (min-width: 30em) 100vw, 100vw\" \/>\t\t\t\n\t\t\t\n\t\t\t\t\t<\/figure>\n\n\t\t\n\t\t\t\t\t<div class=\"card-post__meta\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"card-post__meta-text\"><span class=\"posted-on \"><time class=\"entry-date published\" datetime=\"2025-11-14T15:42:22+00:00\">14 November, 2025<\/time><\/span><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"card-post__meta-text\"><span class=\"reading-time\">6 min read<\/span><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\n\t\t<p class=\"card-post__title h5\">\n\t\t\tTurn your employees into cyber security champions\t\t<\/p>\n\n\t\t\t<\/a>\n\t\n\t\n\t\t\n\t\n\t<\/article>\n\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t<div class=\"col col-6 col-lg-3 card-grid__item\">\n\t\t\t\t\t\t<article\n\t\tclass=\"card-post related-post related-post-3 post-24010 post type-post status-publish format-standard has-post-thumbnail hentry category-technology-innovation tag-security-fraud business_type-small-business business_type-medium-sized-business business_type-accountants\"\n>\n\t\t\t<a\n\t\t\tclass=\"card-post__link\"\n\t\t\thref=\"https:\/\/www.sage.com\/en-gb\/blog\/phishing-why-trusting-your-gut-matters\/\"\n\t\t\t\t\t>\n\t\t\t<figure class=\"card-post__media\">\n\t\t\t\t\t\t\t<img decoding=\"async\" width=\"684\" height=\"384\" src=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2023\/09\/GettyImages-1488918938-684x384.jpg\" class=\"card-post__image\" alt=\"A man using a computer and protecting himself from phishing\" loading=\"lazy\" srcset=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2023\/09\/GettyImages-1488918938-684x384.jpg 684w, https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2023\/09\/GettyImages-1488918938-768x512.jpg 768w, https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2023\/09\/GettyImages-1488918938-1215x810.jpg 1215w\" sizes=\"auto, (min-width: 48em) 250px, (min-width: 30em) 100vw, 100vw\" \/>\t\t\t\n\t\t\t\n\t\t\t\t\t<\/figure>\n\n\t\t\n\t\t\t\t\t<div class=\"card-post__meta\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"card-post__meta-text\"><span class=\"posted-on \"><time class=\"entry-date published\" datetime=\"2025-08-20T09:04:38+01:00\">20 August, 2025<\/time><\/span><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"card-post__meta-text\"><span class=\"reading-time\">7 min read<\/span><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\n\t\t<p class=\"card-post__title h5\">\n\t\t\tPhishing: Why trusting your gut matters\t\t<\/p>\n\n\t\t\t<\/a>\n\t\n\t\n\t\t\n\t\n\t<\/article>\n\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t<div class=\"col col-6 col-lg-3 card-grid__item\">\n\t\t\t\t\t\t<article\n\t\tclass=\"card-post related-post related-post-4 post-16969 post type-post status-publish format-standard has-post-thumbnail hentry category-strategy-legal-operations tag-accountant-accounting tag-security-fraud business_type-accountants\"\n>\n\t\t\t<a\n\t\t\tclass=\"card-post__link\"\n\t\t\thref=\"https:\/\/www.sage.com\/en-gb\/blog\/identity-fraud-combat-framework\/\"\n\t\t\t\t\t>\n\t\t\t<figure class=\"card-post__media\">\n\t\t\t\t\t\t\t<img decoding=\"async\" width=\"684\" height=\"384\" src=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2023\/09\/GettyImages-1369567969-1-684x384.jpg\" class=\"card-post__image\" alt=\"\" loading=\"lazy\" srcset=\"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2023\/09\/GettyImages-1369567969-1-684x384.jpg 684w, https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2023\/09\/GettyImages-1369567969-1-768x512.jpg 768w, https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2023\/09\/GettyImages-1369567969-1-1215x810.jpg 1215w\" sizes=\"auto, (min-width: 48em) 250px, (min-width: 30em) 100vw, 100vw\" \/>\t\t\t\n\t\t\t\n\t\t\t\t\t<\/figure>\n\n\t\t\n\t\t\t\t\t<div class=\"card-post__meta\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"card-post__meta-text\"><span class=\"posted-on \"><time class=\"entry-date published\" datetime=\"2024-06-25T09:00:00+01:00\">25 June, 2024<\/time><\/span><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"card-post__meta-text\"><span class=\"reading-time\">6 min read<\/span><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\n\t\t<p class=\"card-post__title h5\">\n\t\t\tHow the Core Identity Framework can help to combat identity fraud\t\t<\/p>\n\n\t\t\t<\/a>\n\t\n\t\n\t\t\n\t\n\t<\/article>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n<\/section>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Thanks to the DUAA, the UK&#8217;s data protection rules have undergone a post-Brexit and post-GDPR refresh, with big changes as of June 2026. Here&#8217;s your crash course.<\/p>\n","protected":false},"author":280,"featured_media":30541,"menu_order":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_sage_video":false,"post_featured_image_hide":false,"sage_hide_published_date":false,"sage_hide_read_time":false,"sage_hide_share_buttons":false,"footnotes":""},"categories":[9,11,114],"tags":[117,52],"business_type":[4,3,115],"lilypad":[],"context":[],"industry":[63],"persona":[67,68,69,70,71,72,73,74,75],"imagine_tag":[138,267],"coauthors":[369],"class_list":["post-30540","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-strategy-legal-operations","category-technology-innovation","category-trends-insights","tag-gdpr","tag-security-fraud","business_type-small-business","business_type-medium-sized-business","business_type-accountants","industry-professional-services"],"sage_meta":{"region":"en-gb","author_name":"Keir Thomas-Bryant","featured_image":"https:\/\/www.sage.com\/en-gb\/blog\/wp-content\/uploads\/sites\/10\/2026\/06\/AdobeStock_2064057245.jpg","imagine_tags":{"138":"GDPR","267":"Security Fraud"}},"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Sage Advice UK","distributor_original_site_url":"https:\/\/www.sage.com\/en-gb\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/posts\/30540","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/users\/280"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/comments?post=30540"}],"version-history":[{"count":5,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/posts\/30540\/revisions"}],"predecessor-version":[{"id":30584,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/posts\/30540\/revisions\/30584"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/media\/30541"}],"wp:attachment":[{"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/media?parent=30540"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/categories?post=30540"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/tags?post=30540"},{"taxonomy":"business_type","embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/business_type?post=30540"},{"taxonomy":"lilypad","embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/lilypad?post=30540"},{"taxonomy":"context","embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/context?post=30540"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/industry?post=30540"},{"taxonomy":"persona","embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/persona?post=30540"},{"taxonomy":"imagine_tag","embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/imagine_tag?post=30540"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.sage.com\/en-gb\/blog\/api\/wp\/v2\/coauthors?post=30540"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}