Getting the legal foundations right: a 2026 health-check for UK businesses

Written By Simon Bastock

A growing company

For many UK businesses, the move from start-up to steady-state operation is accompanied by a corresponding increase in legal complexity. The team is larger, the contracts are larger, and the data being processed is more sensitive than it was at the time of incorporation. For many such businesses, the next significant milestone is external investment, refinancing or a sale.

Increased scrutiny

At that point, the legal foundations of the business will be subjected to detailed scrutiny. Investors and acquirers routinely discount valuations when contracts, policies and compliance documents are not in place, and gaps identified in due diligence are rarely recovered in the negotiated price.

Legal foundations

Even before that stage is reached, well-maintained legal foundations enable a growing business to move at pace: signing new customers, onboarding new suppliers, and adopting new technologies, with the relevant risks identified, recorded, and managed in advance using an agreed process, helping you manage your unknowns.

Health check

Ten areas we routinely identify gaps are set out below. Each can be reviewed quickly, and most can be addressed most quickly and easily where issues are identified at an early stage.

1. Privacy notices and cookie banners: review required following the Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 (DUAA) made significant changes to UK data protection law, including to the cookie regime under the Privacy and Electronic Communications Regulations 2003 (PECR). The cookie provisions came into force on 5 February 2026, and the maximum fine for non-compliance has been raised from £500,000 to £17.5 million, or 4% of worldwide turnover if higher. Privacy notices and cookie banners drafted before that date should be reviewed against the revised requirements. ‍

2. Standard terms and conditions: alignment with the Digital Markets, Competition and Consumers Act 2024

Businesses selling to consumers should review their standard terms in the light of the Digital Markets, Competition and Consumers Act 2024, in particular the provisions concerning subscription contracts, drip pricing and the prohibition on fake reviews. The Competition and Markets Authority now has direct enforcement powers in respect of consumer protection law, and has begun to exercise them.

3. A.I. use within the business: policy and governance framework

The use of generative A.I. tools by employees is now widespread, often involving client information, draft contracts, and internal decision-making. Businesses without an Acceptable Use Policy, a defined list of approved tools and an audit trail of AI use carry significant confidentiality, intellectual property and data protection risk. Sellers are increasingly requiring evidence of AI governance as part of their procurement and due diligence processes.

4. Software supplier contracts: review of A.I. provisions on renewal

Most enterprise software-as-a-service (SaaS) agreements now incorporate A.I. processing as part of the core service, frequently introduced through updated Data Processing Agreements or supplemental AI schedules, which the supplier reserves the right to vary. On each renewal, businesses should consider whether the supplier is permitted to use customer data for model training, the ownership of A.I. outputs, the indemnities provided in respect of third-party intellectual property infringement, and the notice required for material model and sub-processor changes. Reviewing your SaaS terms helps you know the risk your business is carrying by relying on such tools and put appropriate mitigations in place.

5. International data transfers: annual review of mechanism and transfer risk assessment

Businesses handling personal data and transferring it a outside the UK should review their transfer mechanism (typically the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses) and the supporting transfer risk assessment on an annual basis. The UK Extension to the EU-US Data Privacy Framework remains in force, but is subject to ongoing legal challenge, and supporting documentation should be kept current. Manage your Record of Processing and ensure your Privacy Policy remains up to date. ‍ ‍

6. Data retention: a documented schedule

Retaining personal data for longer than is necessary remains one of the most common bases for ICO enforcement action. A documented retention schedule, applied consistently across the business, is among the most cost-effective measures available to reduce regulatory exposure. It can also help manage storage costs and simplify responding to subject access requests.

7. Failure to prevent fraud: assessment of reasonable procedures

The failure to prevent fraud offence introduced by the Economic Crime and Corporate Transparency Act 2023 came into force on 1 September 2025. Larger SMEs falling within the scope of the offence are required to have reasonable procedures in place to prevent fraud. Smaller businesses should obtain and document an assessment of whether the offence applies to them. The same applies to other legislation that carries corporate criminal responsibility, including the Bribery Act 2010.

8. Intellectual property ownership: written assignments and licences

Where logos, software code, marketing copy, photography or other creative materials have been produced by freelancers, external agencies or with the assistance of A.I. tools, written confirmation of ownership or licensing should be in place. The default position under English law is not always what founders assume, and resolving ownership at the point of investment or sale is significantly more expensive than addressing it in advance.

9. Modern slavery and anti-bribery: keeping policies current

Businesses within the scope of the Modern Slavery Act 2015 or the Bribery Act 2010 should ensure that their statements, policies and supporting procedures reflect current operations. Outdated documentation can be more damaging in due diligence than missing documentation, as it suggests that compliance has not been kept under review.

10. Incident response: a documented plan for personal data breaches or cyber attack

A personal data breach which meets the threshold for notification must be reported to the ICO within 72 hours of the controller becoming aware of it. Businesses should have a documented incident response plan that identifies the individuals responsible for assessment, notification, and external communications, and should test that plan periodically. ‍

How can we help?

Reviewing each of these areas is precisely the work our General Counsel Flex service is designed to do. Having experienced, business-savvy in-house lawyers available on a fixed-fee basis allows you to have your business processes reviewed by someone with a practical eye. This helps businesses implement measures that not only manage risk but also enhance their processes and speed to market.

Contact us to discuss how we can help you optimise for growth →

‍ ‍

May 2026

‍ ‍

Simon Bastock
Next

Using A.I. in your business: the legal and financial risks every UK board should be addressing