Navigating data protection and DUAA: Your questions answered

Data protection continues to evolve, and with the UK’s new Data (Use and Access) Act (DUAA) now in force, many organisations are reassessing how they handle personal data. From marketing opportunities and vendor management to breach reporting and court cases, the questions often sit at the intersection of compliance, practicality and reputational risk.

 

In a recent webinar, The Data Use and Access Act – what it means for your organisation, participants raised a wide range of questions, covering the “soft opt-in,” legitimate interests under DUAA, children’s data, data retention and so much more. These are exactly the issues that organisations of all sizes are grappling with as they adapt policies, processes and training.

 

Below, we answered all those questions. We hope they provide practical guidance and clarity in this changing regulatory environment. 

 

We also compiled a DUAA FAQ guide based on all the questions we received from participants upon registering for the DUAA webinar. Download the DUAA FAQ guide here. 

 

1. In the charity sector, the opportunities with the soft opt-in are a key consideration in addition to the risks it brings. Can you go into more details on the charity soft opt-in you mentioned and what it entails?

The “soft opt-in” is a marketing exemption under Privacy and Electronic Communications Regulations (PECR) that allows organisations to send electronic marketing to individuals without explicit prior consent, provided certain conditions are met. For charities, this applies when you’ve obtained contact details during the course of a donation or membership process, you’re marketing your own similar services or campaigns and you provided a clear opportunity to opt out at the time of collection and with each communication. The opportunity is that it allows charities to engage with existing supporters more easily. The risk is that misuse, such as contacting people too broadly or failing to include opt-outs, can lead to ICO enforcement and reputational harm. It’s a tool to be used carefully, not a blanket permission.

 

2. Managing data retention is an issue. Can you explain what to keep, for how long and how to manage appropriate disposal?
   
   Retention should be driven by purpose and law. For example, finance records may need to be kept for six years to comply with tax law, while safeguarding records may have longer requirements. Personal data should not be kept “just in case.” The key is to have a retention schedule that matches categories of data with the legal or operational reason for holding it, and to apply regular reviews. Disposal should be secure and irreversible, so shredding for paper, certified deletion for digital files and ensuring backups are included. Transparency is important. Your retention approach should be explained in your privacy notice.

 

3. What is the benefit to marketing teams as a result of the changes to “legitimate interests” under DUAA?

DUAA clarifies and broadens the use of “legitimate interests” For marketing teams, the benefit is more confidence when relying on legitimate interests for low-risk processing, such as internal analytics, service improvement or certain customer engagement activities. DUAA sets out categories where legitimate interests can be presumed, reducing the need for a full balancing test. That doesn’t remove the need to respect opt-outs or individuals’ rights, but it simplifies the justification process, which is particularly helpful for marketing functions under pressure to deliver campaigns quickly.

 

4. Wouldn’t it be up to the organisation itself to decide whether to go after an employee irrespective of malicious intent or not? Can the authority go directly after the individual rather than the data controller of the organisation?

Generally, the ICO directs enforcement at the data controller of the organisation because it is responsible for systems, training and safeguards. However, under the Data Protection Act 2018, individuals can be prosecuted directly if they knowingly or recklessly misuse personal data, such as accessing or sharing it. So, while organisations are usually held accountable, malicious or unlawful actions by employees can bring personal liability.

 

5. Are all breaches now reportable to the ICO or does there have to be harm to the data subject?

Not all breaches are reportable. The rule remains that you only need to notify the ICO if the breach is likely to result in a risk to the rights and freedoms of individuals. If the breach is trivial, contained or poses no real risk such as an email sent internally to the wrong staff member with no sensitive data, it does not need to be reported. However, you should always record breaches internally, assess the risk and document why you did or did not notify.

 

6. Can you elaborate on the vendor management point with regards to DUAA? 

 

Vendor management is critical because most charities and businesses rely on third parties such as cloud providers, marketing platforms or digital ID check services. DUAA reinforces that controllers must maintain oversight and ensure vendors provide sufficient guarantees of compliance. This means reviewing contracts, ensuring appropriate data processing clauses and having a process to assess vendor risks. It’s not just a legal exercise. It’s about ensuring your suppliers won’t expose you to breaches or reputational damage.

 

7. Regarding the Farley damages, has there been guidance on how the court will assess these?

The Farley case highlights the courts’ willingness to award compensation for distress even without tangible financial loss. Guidance so far suggests courts will consider the nature of the breach, sensitivity of the data and the actual impact on the claimant. The threshold for damages is not negligible but claimants must show more than a trivial upset. The case law is still developing, so organisations should assume distress damages are a real risk, even for smaller breaches.

 

8. Is the risk of DUAA being over-hyped?

The ICO has stressed that DUAA does not radically increase obligations but it does clarify and simplify some existing requirements. The risk of hype comes from vendors or commentators portraying it as a wholesale shift. For most organisations, the key actions will be modest such as updating documentation, revisiting legitimate interests justifications and ensuring transparency. At the same time, DUAA does offer opportunities as it gives organisations the chance to embed trust, transparency and accountability as real differentiators. Businesses that act early can not only reduce regulatory exposure but also strengthen customer trust and position themselves as leaders in responsible innovation.

 

9. How will DUAA be applied to social housing?

DUAA applies across sectors, including social housing providers. The key impacts are on transparency, lawful bases and vendor management. Social housing bodies often process large amounts of sensitive data such as on health, financial hardship and safeguarding. DUAA doesn’t lower standards here, but it does clarify bases like legitimate interests in certain operational contexts. Housing providers should review privacy notices, contracts with IT and tenant service suppliers and ensure procedures for handling rights requests remain clear and efficient.

 

10. Should we review arrangements with those service providers who are used for digital ID checks or electronic checks? Is there automated decision-making in these circumstances? 

Yes, these arrangements should be reviewed. Digital ID providers often use automated processes to verify identities, which may qualify as automated decision-making. If decisions have legal or significant effects, such as refusing a service based solely on an automated check, this brings GDPR/DUAA safeguards into play, including human review options. Even if it’s not fully automated, you still need to ensure your vendors meet security and fairness standards and that contracts clearly define responsibilities.

 

11. Who is responsible for updating addresses if you have sent out a reminder to update but the team or one person does not respond (and then complain it’s gone to the wrong address)?

The responsibility is shared. Organisations must take reasonable steps to keep data accurate. This could involve practices like reminders and update requests. But if an individual does not respond, and you can show you took proportionate steps, liability for inaccuracies shifts. What matters is documenting the process as in, you asked, you provided clear ways to update and you used the last known information in good faith.

 

12. When refusing a request for personal data, would you still quote section 45 subsection (4)(e) of the Data Protection Act 2018?

Yes, when relying on an exemption under the DPA 2018, you should cite the relevant section, in this case, section 45(4)(e), which relates to situations where disclosure would prejudice certain matters. It’s best practice to give individuals a clear, legally grounded explanation for refusals, while still being proportionate and not over-sharing internal legal reasoning.

 

13. A top priority is children’s data but it’s very hard when the guidance still isn’t out. Can you help?

Children’s data is always high risk and requires a cautious approach, even while waiting for finalised guidance. The principles are clear: Use plain language privacy notices, collect only what is necessary, apply age-appropriate safeguards and avoid profiling or marketing that exploits vulnerability. The ICO’s Children’s Code remains the benchmark. While DUAA may refine aspects, the expectation is not that protections will weaken so adopting the highest standard now is the safest approach.

 

14. What about having to store data for 40 years for Health and Safety?

Certain regulations, like those covering asbestos exposure or workplace accidents, require retention of records for decades. This overrides the general GDPR principle of minimisation. The key is to retain only the data necessary to meet that legal duty, keep it securely and explain the legal basis for the long retention in your privacy notice. So yes, sometimes very long retention is lawful and required.

 

15. How do we put in place a procedure for customers to make a complaint about how we handle their data?

Start with a simple, accessible process: A clear contact email or form for data complaints, acknowledgement of receipt and a set timeframe for response (usually one month). Train staff to recognise complaints, not just treat them as service issues. Keep a log of complaints and how they were resolved. And always explain the right to escalate to the ICO. This doesn’t need to be complex. Clarity and accountability are the key ingredients.

 

16. Will court involvement involve the usual costs and consequences or will data controllers always have to pay them no matter what the result is? 

 

Normal court rules on costs apply. If a data subject brings a claim and loses, they may be liable for costs, though courts sometimes show leniency in privacy cases. Data controllers are not automatically on the hook for costs in every case. That said, litigation carries reputational and financial risk even when you win, so many organisations prefer early settlement.

 

17. Regarding the Farley case, what if the email bounced back and it can be proved that nobody saw it? Is there a duty to notify clients and even compensate them? 

 

If the email genuinely bounced back and no one accessed the data, the risk may be negligible. In such cases, notification to clients is usually not required, since no personal data was actually exposed. Compensation would not generally apply either, as there was no impact on individuals. However, you should document the incident, keep evidence of the bounce-back, and record the assessment so that if challenged later, you can show you considered the risk responsibly.

 

18. The ICO breach reporting guidance used to say small issues were not reportable. Does the Farley case mean the ICO reporting questionnaire will be updated to reflect the lower bar?
    
    At present, the ICO has not issued a new version of the online breach reporting tool. The Farley judgment doesn’t change the legal threshold. Breaches are reportable if they pose a risk to individuals’ rights and freedoms. But it does highlight that what counts as “harm” may be interpreted more broadly by the courts. It is anticipated that the ICO will review its guidance in light of evolving case law.

 

19. Is there a minimum size of company which DUAA covers? Does it cover all businesses from sole traders to PLCs?
    
    DUAA applies to all data controllers and processors operating in the UK, regardless of size from sole traders up to multinationals. The obligations are proportionate, meaning small businesses are not exempt, but the scale of compliance measures should reflect the size and risk profile of the organisation.

 

20. Are there any circumstances in which the DUAA could have extra-territorial reach, as in outside the UK?
    
    Yes. Similar to UK GDPR, DUAA has extra-territorial scope. If a non-UK business offers goods or services to UK residents or monitors their behaviour, DUAA applies. Overseas organisations in this position will need to comply, including appointing a UK representative where required.

 

21. How does DUAA work in line with the Data Protection Act 2018?
    
    DUAA amends and updates the UK GDPR and the Data Protection Act 2018 rather than replacing them. Think of it as an overlay: The DPA 2018 still provides exemptions, enforcement powers and criminal offences, while DUAA refines definitions and obligations, particularly around legitimate interests, research, and international transfers.

 

22. Is DUAA applicable to all companies? How do we know if it is applicable to us?
    
    If your organisation processes personal data in the UK, DUAA applies to you. There’s no threshold by turnover, staff size or sector. Even sole traders holding client contact details must comply, though the scope of documentation and formality should be proportionate.

 

23. For DSARs, we rely on legal professional privilege (LPP). Should we now say in our responses that the data subject can apply to court to request the documents subject to LPP, or did they always have that right?
    
    They always had the right to challenge your reliance on exemptions, including LPP, by applying to the court. DUAA does not introduce a new right here. It simply reinforces existing routes of redress. It’s not necessary to flag this explicitly in every DSAR response, though you should clearly state the exemption relied upon.

 

24. Will DUAA litigation be under public liability, cyber liability or professional indemnity insurance?
    
    This depends on your policy wording. Data protection claims typically fall under cyber liability or professional indemnity cover, rather than public liability. Organisations should review policies carefully and speak with their brokers to ensure coverage for data-related claims.

 

25. What are the implications for HR with DUAA?
    
    HR functions hold some of the most sensitive personal data including health, performance and disciplinary records. DUAA reinforces the importance of clarity on lawful bases, especially legitimate interests, and requires careful vendor management where HR platforms or payroll providers are used. HR teams should review retention schedules, employee privacy notices, and procedures for handling DSARs.

 

26. Who should be leading data protection in organisations: IT, HR, or another function?
    
    Responsibility ultimately rests with the organisation’s leadership, but the lead function will vary. Data protection is cross-cutting: IT manages security, HR ensures staff compliance and operations oversee processes. Best practice is to designate a Data Protection Officer (if required) or at least a senior individual responsible, supported by input from across departments.

 

27. I am interested to see how this would affect small businesses like myself, a virtual assistant, who works with other small businesses.
    
    For small businesses and VAs, DUAA obligations apply, but on a proportionate scale. You’ll need clear privacy notices, secure handling of client data, and straightforward processes for rights requests. It also means ensuring your clients understand their responsibilities as you’re both part of the compliance chain.

 

28. If someone makes a genuine error, i.e. they’re in training, does this mean they will get blamed and be liable personally?
    
    No, liability normally falls on the organisation, not the individual, provided it was a genuine error and proper training was in place. Personal liability arises only in cases of deliberate, reckless or unlawful misuse of data. That said, regulators will look at whether the organisation had adequate supervision and training.

 

29. If a company we use claims to hold our data indefinitely, is that correct or should they conform to a data retention policy even if it’s our data?
    
    Vendors cannot hold data indefinitely without justification. As the controller, you set the retention period and processors are bound to follow your instructions. If a vendor insists on keeping data indefinitely, that raises compliance concerns and should trigger a contract review.

 

30. Although “no one saw it” is gone as a complete defence, can it still be used to mitigate and lower any compensation awarded?
    
    Yes, while it’s no longer a full defence, it can be a factor in reducing damages. Courts will consider whether the data was actually accessed or misused when assessing distress and harm, even if the mere mishandling creates liability.

 

31. Does the 72-hour deadline include weekends or holidays?
    
    Yes. The 72-hour reporting clock runs continuously from the point you become aware of a notifiable breach, including weekends and public holidays. If reporting falls outside office hours, you should still notify the ICO as soon as possible with the information available.

 

32. What are the potential punitive damages against companies?
    
    Under DUAA, the ICO retains the ability to issue fines up to £17.5m or 4% of global annual turnover (whichever is higher). Courts can also award compensation to individuals for distress or material loss. While “punitive” damages are not a distinct category under UK law, the reputational and financial consequences can still be severe.

 

33. Who is open to potential criminal liabilities? Is it processors, senior management, or board members? And what are the potential penalties?
    
    Criminal offences under the DPA 2018 and DUAA include knowingly or recklessly obtaining or disclosing personal data without consent. These usually apply to individuals, such as employees misusing access. Senior management or board members could face liability if they consent to or connive in such offences. Penalties include fines and, in serious cases, imprisonment.

 

34. What can be seen as “reasonable” frequency for keeping data updated as part of a defence mechanism?
    
    There’s no set time period. “Reasonable” depends on the nature of the data and how it’s used. For example, payroll or HR records may need more frequent updates than archival records. A good practice is to prompt individuals annually to check their details, with additional checks before key transactions.

 

35. Is there any defence if an address has changed but the company has not been notified?
    
    Yes. If you can demonstrate reasonable steps such as periodic reminders and opportunities to update details, you can show due diligence. The law recognises organisations cannot always guarantee absolute accuracy, only that they take proportionate measures.

 

36. Does the 72 hours start from detection of the breach or the breach itself?
    
    It starts from when you become aware of the breach, not when the breach actually occurred. “Awareness” means you have a reasonable degree of certainty that a personal data breach has taken place.

 

37. What bearing does this have on day-to-day personal data breach risk assessments?
    
    The evolving case law suggests a lower threshold for what counts as “harm,” which means organisations may need to take a more cautious approach when assessing risk. That doesn’t mean reporting every incident, but it does mean documenting your reasoning more carefully, especially when deciding not to report.

 

38. When different departments within an organisation use different CRMs and there’s no systems integration, who is responsible if there are data inaccuracies?
    
    The organisation as a whole remains the data controller and is responsible for ensuring accuracy, regardless of departmental silos. Internally, clear governance is needed such as assigning responsibility to a central data protection lead, to prevent gaps where different systems overlap.

 

As these questions demonstrate, DUAA does not replace the fundamentals of good data protection practice but it does clarify and sharpen them. Organisations that focus on transparency, accountability and proportionality will be well-placed to both comply with the law and make the most of the opportunities DUAA offers. We’ll continue to monitor guidance from the ICO and the courts and share updates as the landscape evolves.

 

Don’t miss our DUAA FAQ guide based on all the questions we received from participants upon registering for the DUAA webinar. Download it here.