UK data leaders face urgent overhaul as DUAA brings strict new rules

Google search data indicates a sharp increase in queries related to the Data (Use and Access) Act as UK organisations seek to understand new data protection requirements.

Analysis from VinciWorks, a provider of compliance eLearning and software, has shown a 16,000% rise in searches for "Data Use and Access Act" in June 2025, when the legislation was enacted. This heightened interest far surpassed the 175% increase observed for the previous "Data Use and Access Bill" search term over the period from October 2024 to June 2025.

The Data (Use and Access) Act 2025 (DUAA) introduces extensive updates to the UK's data protection regime, including changes to the UK General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR). The legislation encompasses new frameworks for digital identity, Smart Data schemes, expanded conditions under legitimate interests for data processing, as well as revised rules on automated decision-making and increased financial penalties for breaches of PECR, now matching GDPR levels at up to GBP £17.5 million or 4% of global turnover.

ICO powers extended

Under the new law, the Information Commissioner's Office (ICO) will obtain significant new enforcement tools starting on 20 August 2025. The ICO will be empowered to compel organisations to participate in interviews, hand over internal records, and will be able to impose penalties for non-cooperation, making organisational audit readiness an urgent focus for technology and compliance teams.

"The DUAA is more than a policy update, it's a structural shift in how UK organisations manage and share data," said Nick Henderson-Mayo, Head of Compliance at VinciWorks. "For tech leaders, this means reassessing security frameworks, ensuring data mapping is accurate, and delivering cross-departmental training. While this legislation will be rolled out over the next 12 months, organisations should be implementing DUAA-compliant processes and delivering staff training now."

Steps for IT and data leaders

The immediate implications of the Act for IT and data leaders are wide-ranging. Organisations are advised to update Data Subject Access Request (DSAR) procedures to reflect new proportionality tests and utilise the "stop-the-clock" rule for ambiguous requests. System audits for Smart Data readiness are highlighted as important, particularly within regulated industries such as finance, telecommunications, and energy.

With fines under the revised PECR now aligned with GDPR, organisations must also scrutinise cookie management and direct marketing practices to ensure compliance. In addition, updates to automated decision-making (ADM) provisions are expected to alter AI governance within institutions, narrowing restrictions to cases involving special category data, which may lead to the deregulation of some AI tools while focusing regulatory oversight elsewhere.

Organisation-wide training is urged, extending beyond IT and compliance departments to encompass operations, marketing, HR, legal, finance, customer service, and procurement teams.

Compliance timeline

A recommended compliance schedule includes immediate review of DSAR processes and the launch of DUAA or UK GDPR staff training. By 20 August 2025, UK organisations are expected to prepare for the ICO's increased investigative authorities. By December 2025, measures for Smart Data and digital identity compliance should be in place. By June 2026, all provisions under the DUAA are scheduled for full compliance.

Henderson-Mayo noted the wider strategic implications: "The DUAA signals the UK's shift toward a more innovation-focused, independent data protection regime, but one with sharper enforcement tools. For tech and compliance teams, the message is clear: the clock is ticking."