The Data (Use and Access) Act 2025 (DUAA) marks the most significant refinement of the UK’s data protection framework since the introduction of the UK GDPR. Rather than a complete overhaul, the DUAA aims to streamline compliance, support innovation, and provide greater clarity for organisations operating in the digital economy.
For employers, the DUAA brings both opportunities and obligations. From clearer rules on data processing and marketing, to expanded flexibility around AI and international data transfers. With enhanced enforcement powers and having the principle of transparency in mind, it’s essential that businesses understand how these changes will impact their operations.
To support your preparation, we have outlined 10 practical tips to help employers navigate the new requirements and take full advantage of the DUAA’s reforms.
Top 10 DUAA Compliance Tips for Employers
1. Review & Update Internal Policies
Audit your existing data protection policies, procedures, and privacy notices to ensure alignment with DUAA updates – especially around lawful bases (particularly if the newly created basis, ‘recognised legitimate interests’ needs to be included), DSAR handling, and AI use.
2. Reassess Direct Marketing Practices
Take advantage of the DUAA’s recognition of direct marketing as a “legitimate interest” – but ensure opt-outs are easy, consent is clearly managed, and Privacy and Electronic Communications Regulations (‘PECR’) compliance is robust to avoid heavy penalties.
3. Leverage the Broader Definition of Scientific Research
If your business conducts research (including in tech, healthcare, or innovation), assess how the new definition can support more flexible and compliant data use.
4. Understand New Rules on ‘Further Processing’
Familiarise yourself with Article 8A DUAA – particularly where you want to repurpose data. Ensure documentation shows how new processing aligns with the original purpose, especially in public interest or research contexts.
5. Review International Data Transfer Processes
The new “not materially lower” test simplifies some transfers, but employers must still assess risks, including adequacy decisions for countries that the data would be transferred to, and update contracts (eg. Standard Contractual Clauses or Data Sharing Agreements) accordingly.
6.Strengthen DSAR Procedures
Formalise a process to handle “reasonable and proportionate” search efforts. Use the new ability to pause the DSAR clock while awaiting clarification from requesters to manage workload more effectively.
7. Prepare for AI and Automated Decision-Making (ADM) Use
If using AI in hiring, performance management, or profiling, conduct a risk assessment. Implement transparency mechanisms and explain how decisions are made to stay compliant under the revised ADM framework. It is important there is still human oversight on any decisions/work produced by AI, which will also demonstrate compliance with the accountability principle.
8. Explore Opportunities for Digital ID Verification
Consider using compliant Digital Verification Services (DVS) to streamline onboarding and ID checks – especially in finance, property, and recruitment sectors.
9. Audit Child-Facing Services
If your services could be accessed by children, apply higher protection standards (aligned with the Children’s Code). Design platforms with child privacy in mind and ensure appropriate age verification.
10. Prepare for Enhanced Enforcement Risk
Update your risk registers and compliance frameworks to reflect the increased fines, particularly to breaches relating to direct marketing (up to £17.5 million or 4% of global turnover under PECR). Prioritise cookie compliance and marketing consent reviews.
Bonus Tip – Implement a First-Line Complaints Process
Before individuals go to the ICO, they will now be expected to complain to you first and be kept informed on progress relating to their complaint. Make sure a clear internal complaints route is in place to handle data disputes swiftly and fairly.
If you are seeking advice on DUAA and how your organisation can be compliant with this new law, please do not hesitate to contact a member of the data protection team who would be happy to discuss steps that need to be taken.
