info@tenintel.com

Contact Us

The Data Use and Access Act (DUAA) Compliance Risks and Checklist

Posted in

, ,

There is a lot of noise around the Data (Use and Access) Act (DUAA) at the moment.

New requirements. More guidance. Plenty of “what’s changed” summaries.

But the real shift is not what’s been added. It is what is now being expected. Because DUAA does not completely change the rules. It changes how closely those rules are looked at. And for many organisations, that is where things start to unravel.

6 core areas of DUAA compliance organisations must revisit

1. Data Protection Complaints Processes

The part no one is really talking about

From June 2026, organisations must have a formal data protection complaints process.

That sounds simple. In reality, most organisations do not have one. They have:

  • a shared inbox,
  • a few people who pick things up
  • no consistency
  • no tracking

That’s not a process, it is reactive handling.

DUAA shifts this into something structured and accountable. Which means:

  • complaints need to be logged
  • responses handled without undue delay (typically within one month)
  • issues addressed before they escalate to the Information Commissioner’s Office (ICO)

And importantly, this includes things organisations do not always treat as “complaints”.

For example:

“Why do you have my data?”

“Delete my information.”

If that lands in an inbox and sits there, that is already a problem.

2. Cross-border data transfers

DUAA doesn’t rewrite the UK GDPR framework. It reinforces it. Cross-border data transfers, for example, are unchanged, adequacy decisions, IDTAs and safeguards still apply. But what has changed is expectation.

Organisations are expected to:

  • understand where their data is
  • know who can access it (including from other countries)
  • be able to explain it clearly

So if your UK data is accessed by a team in the US and that is not new.

But being vague about it is no longer sits comfortably.

3. Legitimate interests under DUAA

“Legitimate interests” is still one of the most relied-on lawful bases. And one of the least understood.

What we often see:

  • no documented balancing test
  • template wording reused
  • unclear reasoning

DUAA does not remove it, it raises the bar on explaining it.

A simple rule: If you can not explain your reasoning clearly and simply, it probably needs more work.

4. Data Retention Risks

The quiet issue: keeping too much data. Most organisations do not actively decide to keep unnecessary data.
It just builds up.

“Keep it just in case.” “Storage is cheap.” “We might need it later.”

But “just in case” is not a lawful basis.

DUAA reinforces something simple: data use should be intentional, not passive.

If you can not clearly answer: “What is this data for today?”

…it’s worth questioning why it is still there.

5. Children’s Data and Online Services

Children’s data: clarity actually means clarity

Another area seeing more focus is children and online services.

This is not new but expectations are becoming more practical.

If children are using your service:

  • privacy information must be understandable to them
  • data use must be fair and appropriate

Not written for lawyers. Not written for adults. Actually understandable.

6. Automated Decision-Making (ADM) and AI

DUAA clarifies expectations around automated decision-making.

If decisions are made without meaningful human involvement, it can have a significant effect and safeguards must be in place.

This includes:

  • the ability to request human review
  • the ability to challenge decisions
  • transparency on how decisions are made

This isn’t just about “AI companies”. It applies to:

  • HR (e.g. screening candidates)
  • finance (e.g. credit decisions)
  • pricing tools
  • marketing profiling

If a system is making decisions about people, you need to be able to explain it.

Policy vs Reality Gap: How DUAA compliance is assessed?

Most organisations don’t have nothing. They have:

  • policies
  • procedures
  • templates

On paper, everything looks fine. But when you look closer:

  • processes are not followed
  • decisions are not documented
  • teams work differently in practice

DUAA increases focus on what can be demonstrated, not just what exists. And this applies to all organisations. Large organisations are not exempt. They often have more documentation, but also more complexity, more systems, and more room for disconnect.

DUAA Checklist

Sectors & ProfessionalsWhy DUAA applies to themWhat teams need for compliance
Financial institutions
(Credit, insurance, lending)		1. Automated credit and insurance decisions now require human review rights and explainability.

2. High DSAR volumes from customers; ‘stop the clock’ and ‘reasonable and proportionate search’ provisions are clarified under DUAA.

3. Relies heavily on legitimate interests.		1. Complaint-Handling Training

2. DUAA Policy Update

3. DSAR Playbook

4. Automated-Decision Making (ADM) Compliance Review
Contact centres, Retail, Energy & Utilities
(Customer service teams)		1. The first point of contact for data complaints, DSARs, and “delete my data” requests.

2.High volumes of customer interactions mean unmanaged data queries create compounding ICO escalation risk across the organisation.
1. Complaint-handling Training

2. DSAR Playbook

3. Complaint Process Design
Schools & Universities, EdTech, Social & Gaming Platforms
(Professionals handling Children’s Data)		1. DUAA explicitly requires services likely used by children to take children’s needs into account in data use decisions.

2. Age Appropriate Design Code (AADC) remains an established ICO standard, and DUAA reinforces consideration of children’s needs.		1. Children’s Privacy Review

2. AADC Gap Assessment
Marketing Teams & Agencies
1. Cookie consent rules changed, certain statistical and functional cookies may not require prior consent in limited circumstances.

2. When legitimate interests are used for profiling and targeting, a balancing test is still required. However, teams often do not have this procedure in place.

3. Automated marketing profiling triggers ADM safeguards if decisions have a significant effect on individuals.		1. Cookie & Privacy Audit

2. Legitimate Interests Documentation

3. DUAA Policy Update & Training
Human Resources (HR) & People teams1. Automated or AI screening and performance tools must now provide the right to request human review and challenge decisions.

2. HR teams typically receive data complaints alongside grievances with no structured separation or tracking.

3. Most HR teams are unaware that Employee DSARs are subject to clarified ‘reasonable and proportionate search’ and ‘stop the clock’ provisions under DUAA.		1. Complaint-handling training

2. Update complaint-handling process

3. Update DSAR Policies & Procedures

How can a DPO help you prepare for DUAA compliance?

DUAA does not introduce a completely new way of working. It does something more direct. It makes organisations prove they are handling data properly in practice, not just on paper! And for many, that is where the real work begins.

Most of the work we do as a Global DPO is not about rewriting policies. It is about sitting in that gap between what is written and what is actually happening. That usually means:

  • sense-checking whether things genuinely make sense in practice
  • helping teams turn requirements into something workable
  • identifying the areas that quietly create risk

And occasionally asking questions like: “why are we keeping this?”

Which, to be fair, does not always make me the most popular person in the room! But it is usually where the useful conversations start.

Because most organisations do not need more documentation. They need clarity, consistency… and a bit of honesty about what is really going on.

DATA PROTECTION

Need assistance with DUAA compliance?

Get ready to demonstrate compliance before June, 2026 with DPO-led

  • team training,
  • practical workshops
  • full policy & procedure development
  • full policy & procedure review
Connect with a Data Protection Officer
Lynsey Hanson Avatar

Written by

Lynsey Hanson | Global Data Protection Officer



FAQs on DUAA Compliance

What is the Data Use and Access Act (DUAA)?

It is a UK law designed to strengthen how organisations demonstrate accountability when using personal data. It builds on UK GDPR and increases expectations around practical compliance.

When do organisations need a formal complaints process?

From June 2026, organisations must have a structured process to log, track, and respond to data protection complaints.

Does the Act replace UK GDPR?

No. It reinforces existing UK GDPR requirements and raises expectations for how organisations demonstrate compliance.

Tagged:- ,