Rules and regulations around data use, GDPR and compliance

legislation is imperative. Businesses are responsible for protecting individuals from the misuse of information about them. Data in the wrong hands might result in an individual becoming the target of identity theft and fraud, and potentially suffer other consequences as well.

Direct marketing is covered by the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018 (DPA). But as times change, laws are constantly being updated. Keeping compliant and following best practice with marketing data means staying abreast of the latest rules and knowing when and where to seek advice is vital.

Woman sitting at laptop

Latest rules and regulations

In June 2025, the Data Use and Access Act 2025 (DUAA) received royal assent and became law. The DUAA amends, but does not replace UK GDPR, DPA or Privacy and Electronic Communications Regulations (PECR). 

  • The Data and Marketing Association UK (DMA) summarises some of the key changes as:
    Greater clarity on legitimate interests as a lawful basis for direct marketing, with examples elevated into the main text of the law.
  • Soft opt-in for charities, aligning fundraising communications with existing rules for commercial organisations.
  • Reform of cookie consent requirements, reducing or removing banners where cookies are used for low-risk, first-party purposes.
  • Preservation of EU adequacy, ensuring data flows between the UK and EU remain uninterrupted.
  • A modernised Information Commissioner’s Office, now required to consider innovation and competition alongside privacy.
  • Legal basis for unified Codes of Conduct covering both GDPR and PECR, enabling joined-up guidance and accountability.
  • Clarity around scientific and market research, formally recognising commercial research under the protections of GDPR.
  • Harmonised definition of direct marketing across GDPR, PECR and DPA 2018, ensuring legal consistency.
  • Stronger enforcement under PECR, with maximum fines raised to match GDPR levels.

Source: https://dma.org.uk/article/the-data-use-and-access-bill-becomes-law-a-landmark-for-uk-data-regulation 
 

Where to find guidance

The ICO, mentioned above, is the regulator for the data industry and has the power to rule on and issue fines for non-compliant businesses. It is worth contacting the ICO helpline with any queries or concerns about data you are handling and/or intending to use. For the latest information on regulation please visit the Information Commissioner’s Office (ICO) website

The Data and Marketing Association UK (DMA) is active in advising businesses about the compliant use of data in marketing activity. It also lobbies government ministers and other authorities to ensure regulatory changes take business concerns into account, while focusing on the experience of the end user (consumer/customer). It may be helpful to contact its legal team if you need to discuss any issues or worries about using your data for marketing purposes.