The Data (Use and Access) Act 2025 (DUAA) is more than a technical amendment to UK data law. It is a structural shift in how businesses handle, share, and reuse information. While framed as a driver of innovation and competition, DUAA introduces sharper compliance demands, fresh litigation risks, and expanded enforcement powers for the Information Commissioner’s Office (ICO).
For organisations, the immediate danger lies not in the long-term architecture of Smart Data schemes or digital identity frameworks, but in the grey zones of implementation, where disputes, penalties, and claims will arise first.
VinciWorks has identified a 16,000% month-on-month increase in Google searches for “Data Use and Access Act” in June 2025, the month the legislation became law on 19 June. This spike highlights how seriously UK organisations are taking the changes to data protection law.
In practice, DUAA compliance will be judged not just on written policies but on the credibility of processes under stress, whether that be in a compliance interview, a discrimination claim, or the court of public opinion. For businesses, the strategic choice is clear: treat DUAA not as a technical tweak to GDPR, but as a new compliance regime requiring early, visible investment. Those who do so will mitigate risk, avoid costly disputes, and position themselves to seize the Act’s intended upside: data innovation.
Smart data schemes and access disputes
Smart Data schemes which are initially voluntary, but will soon be mandatory in certain sectors, are designed to allow customers and authorised third parties access to usage, pricing, and performance data. But the very act of opening datasets creates vulnerabilities:
Risk
Wrongful refusals: If a business denies access to a legitimate request, it risks enforcement action or civil claims.
Over-disclosure: Conversely, disclosing commercially sensitive or personal data to an unauthorised party could trigger breach of confidence, contractual disputes, or UK GDPR violations.
ICO enforcement: The regulator now has mandatory compliance interview powers, backed by criminal liability for false statements.
Mitigation
Access request triage: Build a dedicated workflow similar to DSAR procedures that flags, validates, and records every incoming request.
Legal review checkpoints: For borderline cases, escalate to legal counsel before data is disclosed.
Contractual clarity: Update customer contracts and supplier terms to reflect DUAA rights and obligations, reducing ambiguity in disputes.
Board oversight: Ensure senior management visibility of Smart Data compliance, given the reputational risks of early enforcement action.
Automated decision-making and civil liability
DUAA replaces the rigid Article 22 UK GDPR ban with a more permissive framework. Automated decision-making (ADM) is now lawful in more scenarios, provided safeguards exist. But this loosening actually heightens litigation risks:
Risk
Regulatory risk: The ICO can fine organisations up to 4% of global turnover for failures in ADM safeguards.
Civil litigation: Individuals denied jobs, loans, or insurance cover by automated systems may sue for damages, arguing a lack of “meaningful human involvement.”
Equality law exposure: Biased algorithms in HR or financial services could lead to indirect discrimination claims under the Equality Act 2010.
Mitigation
Bias audits: Run algorithmic impact assessments (akin to Data Protection Impact Assessments) that explicitly check for discriminatory outcomes.
Human-in-the-loop protocols: Require human review of any decision producing legal or similarly significant effects. Document the process rigorously.
Transparency obligations: Update privacy notices to explain how automated decisions are reached, and provide clear appeal mechanisms.
Testing and redress: Pilot ADM systems internally before live rollout, and maintain a fast-track complaints process for affected individuals.
Purpose limitation and “compatible” re-use
One of DUAA’s more business-friendly reforms is clarifying when personal data may be reused for new purposes. Yet, this flexibility carries risk:
Risk
Over-expansion: Organisations may incorrectly treat new processing as “compatible,” particularly where commercial motives are involved.
Special category pitfalls: Reusing sensitive data without satisfying a Schedule 1 DPA 2018 condition exposes organisations to unlawful processing claims.
Satellite litigation: Competitors, customers, or campaign groups may use strategic litigation to test the boundaries of DUAA’s compatibility framework.
Mitigation
Compatibility registers: Document every instance of further processing, identifying lawful bases and safeguards.
Legal sign-off for special category data: Require DPO or counsel approval before reusing health, biometric, or belief-based data.
Conservative application: If in doubt, seek consent or rely on a fresh lawful basis rather than stretching “compatible” too far.
ICO engagement: Monitor ICO guidance on compatible purposes and align policies quickly as the regulator clarifies the grey zones.
ICO enforcement and compliance interviews
Perhaps DUAA’s most immediate operational threat is not novel rights or obligations, but the ICO’s strengthened enforcement toolkit:
Risk
Compliance interviews: Organisations can now be compelled to send DPOs or executives to interviews, with criminal liability for misstatements.
Fines escalation: Penalties under PECR are aligned with UK GDPR levels, meaning up to 4% of global turnover.
Reputational fallout: ICO investigations are often publicised, creating brand damage even before findings are concluded.
Mitigation
Interview readiness: Train senior staff in regulatory interview protocols. Treat them as formal, high-risk proceedings akin to FCA interviews in financial services.
Governance structures: Maintain a “single source of truth” for data governance policies, ensuring consistency across all regulatory disclosures.
Financial provisioning: Consider building regulatory fines and litigation contingencies into risk registers and insurance coverage.
Proactive engagement: Voluntary engagement with the ICO on emerging compliance challenges can soften enforcement risk.
Rising litigation and reputational harm
DUAA creates new private law causes of action and strengthens old ones. These cases are likely to attract significant publicity, especially as campaign groups seek “test cases” to define DUAA’s boundaries.
Risk
Individuals can sue for damages arising from unlawful automated decisions.
Competitors may litigate over misuse of shared data.
Consumer groups may target unfair refusals of access or hidden ADM bias.
Mitigation
Early dispute resolution: Establish fast-track ADR (alternative dispute resolution) options for customer complaints before disputes escalate.
Insurance coverage: Review existing D&O and cyber policies to ensure they cover DUAA-related claims.
Reputational planning: Prepare communication strategies for handling regulatory scrutiny or civil claims in the media spotlight.
What to do now: DUAA short-term compliance checklist
Audit your data access processes
- Map out how you handle incoming data access requests.
- Build triage procedures to validate legitimacy and log refusals or disclosures.
- Update customer and supplier contracts to reflect DUAA rights and obligations.
Strengthen Automated Decision-Making (ADM) safeguards
- Conduct algorithmic bias and fairness audits.
- Implement “human-in-the-loop” review for any significant ADM decisions.
- Revise privacy notices to explain automated decisions and provide appeal routes.
Manage further processing and reuse
- Create a compatibility register documenting lawful bases for all secondary uses.
- Require DPO/legal sign-off before reusing special category data.
- Use consent or new lawful bases where compatibility is uncertain.
Prepare for ICO enforcement powers
- Train senior staff on how to handle compliance interviews.
- Maintain a single, accurate governance record for all data policies.
- Review insurance policies and provision for potential fines or disputes.
Anticipate litigation and reputational risks
- Establish ADR or fast-track resolution for customer complaints.
- Develop a communications plan for handling ICO investigations or civil claims.
- Monitor ICO guidance and sector case law to adapt policies quickly.
