The Data (Use and Access) Act (DUAA), which has just received Royal Assent, may well define the future of UK data governance. Announced as part of the UK’s post-Brexit data reform agenda, DUAA promises to reshape not just legal compliance but how businesses build trust, innovate responsibly, and compete in a data-driven economy.

Unlike the first few years of GDPR, where fear of fines often overshadowed strategic thinking, DUAA offers firms a chance to get ahead by acting now, not just to comply, but to strategically prepare for the future - according to the ICO, changes will be phased in between June 2025 and June 2026.

Waiting for secondary legislation to outline the implementation details risks leaving businesses at a disadvantage. Instead, organisations should seize this moment to review, refresh and future-proof their data practices, especially given the changes expected to the UK GDPR and the Privacy and Electronic Communications Regulation (PECR). Here are a few ways organisations can prepare for the Data Use and Access Act.

Review DSARs

First, organisations should anticipate regulatory scrutiny by re-evaluating their data subject access request (DSAR) procedures. Under the Act, there is a clear signal that UK regulators want to reduce administrative burdens for organisations; however, this does not mean lowering expectations for transparency. If anything, DSARs are likely to remain a flashpoint for enforcement, so mapping all DSAR touchpoints will be crucial.

Companies must ensure that their DSAR workflows are not only technically robust and time-sensitive but also user-centric and fair. Automating certain aspects of the DSAR response process, such as identity verification and redaction, can be beneficial; however, ensuring employees have oversight will still play a crucial role in the process.

Assess the use of automated decision-making technologies

With digital identity verification and data-sharing frameworks being embedded into law, compliance teams should reassess their use of automated decision-making technologies. The Act relaxes some of the GDPR-era constraints, but this should not be mistaken for absolute latitude.

Businesses using profiling or algorithmic decision tools will need clear records of their logic, human review mechanisms and a justifiable legal basis for each use. This applies particularly to businesses in sectors such as finance, recruitment, and insurance. Accountability, explainability, and fairness will still matter, even if the legislative tone shifts toward encouraging innovation.

Scenario testing and readiness drills

Consider running DUAA scenario exercises, for example, testing how your organisation would respond to complex DSARs or how you would justify an automated decision if challenged. These exercises can uncover weaknesses and provide valuable insights for improvement.

Track cookies and marketing

As for cookies and electronic marketing, the amended PECR rules are expected to permit more user-friendly approaches to consent in low-risk contexts. Many companies are currently over-reliant on generic banners and lack a well-documented lawful basis for tracking or outreach.

It’s essential to re-audit your website tracking, marketing data flows, and consent records, especially where you rely on legitimate interests or bundled consent mechanisms. Regulator expectations are becoming increasingly sophisticated, and a superficial approach won’t be accepted.

Update governance

Additionally, governance needs to keep up with legislative changes. This means updating your records of processing activities (ROPAs), data protection impact assessments (DPIAs), and training programmes to reflect the current law and its future direction.

Senior leadership must be informed about the strategic risks and opportunities posed by the Act, and internal accountability frameworks must be able to adapt and evolve accordingly.

Employee training and awareness

Training employees on the new legislation will be vital. DUAA readiness is not solely the preserve of compliance teams. All staff who handle personal data, from customer service agents to marketing teams, must understand the Act’s key provisions. This includes updating training for employees across departments on a lawful basis for processing, new digital ID frameworks, and the correct handling of DSARs.

Embedding DUAA-specific content into existing GDPR training or running targeted workshops for high-risk functions, e.g. marketing, will help ensure consistency and reduce the risk of accidental breaches.

Vendor and supply chain reviews

The DUAA will affect not only internal data practices but also how businesses work with vendors, processors, and data-sharing partners. Now is the time to review contracts, data-sharing agreements, and processor due diligence to ensure that third parties can meet your standards under the new law. A robust supply chain compliance check can help prevent weak links that expose your organisation to enforcement or reputational harm.

Board-level engagement

Senior leadership buy-in is essential. Data protection under DUAA should be viewed as both a risk and an opportunity for the board. Organisations should brief their boards on DUAA’s strategic implications, set clear accountability for implementation, and ensure that privacy and innovation strategies align. This will foster a culture where data ethics is not just an operational concern but a competitive advantage. This way, senior leadership can also reinforce the importance of employees completing any necessary training and understanding of DUAA to ensure all data practices are carried out securely and appropriately throughout the organisation.

It is possible to thrive under DUAA, but that’s only if your organisation treats compliance as a strategic advantage. That means embedding privacy, transparency and accountability into the heart of your operations. Suppose you delay implementing this approach or, worse, take a tick-box approach.

In that case, you will likely find your organisation struggling to adapt and facing not only heightened regulatory scrutiny but also growing demands from customers and the public for responsible data practices.

The DUAA should not be viewed as a compliance headache but rather as a catalyst for smarter, more ethical, and more resilient data strategies. Organisations that invest now in meaningful reforms will find themselves well-placed to navigate the shifting regulatory landscape, for example, by rethinking DSAR processes and automated decision-making, as well as re-auditing marketing consent frameworks and updating training. They will also earn the trust of customers, partners, and regulators.

We now live in a world where data protection is increasingly a differentiator. In this environment, the winners will be those who move first, think deeply, and embed compliance into the DNA of their operations. The DUAA is not just a legal development. It is a strategic opportunity.

Naomi Grossman Compliance Manager VinciWorks