VinciWorks survey reveals that fewer than 2% of organisations are fully ready for the Data Use and Access Act, with staff training emerging as the single biggest compliance gap.
New research conducted by VinciWorks, the compliance training and software provider, has revealed that the majority of UK organisations are unprepared for the Data Use and Access Act (DUAA), with widespread uncertainty and a critical lack of training, leaving companies exposed to compliance breaches.
The survey of 373 compliance professionals found that just 1.6% of organisations say they are fully ready for the new law, which will replace parts of the UK GDPR in 2025. Almost three-quarters (77%) admit they are either not prepared, unsure, or only beginning preparations.
47% of respondents cited updating governance, training and vendor management as their biggest challenge. Meanwhile, 39% said their top priority over the next six months is training staff across the business.
‘Human error and mistakes’ remain the top data protection risk, according to 56% of respondents, far ahead of phishing (12%). The results indicate that even well-intentioned employees could generate substantial exposure for their organisations in the absence of adequate awareness and education.
Sector trends indicate that the legal and financial services industries are the least prepared, with fewer than one in twenty ready for DUAA compliance. The education sector, while more aware, shows high levels of uncertainty – 30% say they are “not sure” how to assess their readiness.
Nick Henderson-Mayo, Head of Compliance at VinciWorks, said: “Most cyber compliance failures start with human error, and our research shows that awareness is the missing piece, not technology. Organisations can’t rely on IT systems alone; they need to build a culture of understanding and accountability across every team.”
“The organisations investing in better training and awareness throughout the employee lifecycle will be the ones who avoid fines, and build lasting trust with clients and regulators.”
As organisations face changing data accountability under the DUAA, VinciWorks is calling on HR, L&D and compliance teams to prioritise training and governance updates immediately.
How VinciWorks can help your organisation prepare for DUAA compliance
VinciWorks offers a complete suite of training, tools and resources to help organisations meet the requirements of the Data Use and Access Act (DUAA) and maintain compliance with the UK GDPR framework.
UK GDPR and DUAA Training Courses
Ensure staff at all levels understand their data protection obligations under UK GDPR and the DUAA. VinciWorks’ interactive, fully customisable courses are designed to build practical awareness and accountability across every team.
Free Guide to the Data Use and Access Act 2025
This practical guide breaks down the key changes introduced by the DUAA, including new lawful bases for data processing; how rules on cookies, marketing and AI are evolving; what DUAA means for international data transfers; key compliance actions and sector-specific impacts; and a practical checklist
Omnitrack GDPR Registers Workflow Solution
VinciWorks’ Omnitrack platform simplifies DUAA and GDPR compliance by centralising data registers, DSAR management, breach logs and accountability reporting – ensuring your governance frameworks are ready for regulatory scrutiny.
