The Information (Use and Entry) Act 2025 (DUAA) is greater than a technical modification to UK knowledge legislation. It’s a structural shift in how companies deal with, share, and reuse info. Whereas framed as a driver of innovation and competitors, DUAA introduces sharper compliance calls for, contemporary litigation dangers, and expanded enforcement powers for the Data Commissioner’s Workplace (ICO).
For organisations, the speedy hazard lies not within the long-term structure of Sensible Information schemes or digital identification frameworks, however within the gray zones of implementation, the place disputes, penalties, and claims will come up first.
VinciWorks has recognized a 16,000% month-on-month improve in Google searches for “Information Use and Entry Act” in June 2025, the month the laws grew to become legislation on 19 June. This spike highlights how critically UK organisations are taking the modifications to knowledge safety legislation.
In apply, DUAA compliance might be judged not simply on written insurance policies however on the credibility of processes underneath stress, whether or not that be in a compliance interview, a discrimination declare, or the courtroom of public opinion. For companies, the strategic alternative is obvious: deal with DUAA not as a technical tweak to GDPR, however as a new compliance regime requiring early, seen funding. Those that achieve this will mitigate danger, keep away from expensive disputes, and place themselves to grab the Act’s supposed upside: knowledge innovation.
Sensible knowledge schemes and entry disputes
Sensible Information schemes that are initially voluntary, however will quickly be necessary in sure sectors, are designed to permit prospects and authorised third events entry to utilization, pricing, and efficiency knowledge. However the very act of opening datasets creates vulnerabilities:
Danger
Wrongful refusals: If a enterprise denies entry to a authentic request, it dangers enforcement motion or civil claims.
Over-disclosure: Conversely, disclosing commercially delicate or private knowledge to an unauthorised occasion might set off breach of confidence, contractual disputes, or UK GDPR violations.
ICO enforcement: The regulator now has necessary compliance interview powers, backed by legal legal responsibility for false statements.
Mitigation
Entry request triage: Construct a devoted workflow just like DSAR procedures that flags, validates, and information each incoming request.
Authorized overview checkpoints: For borderline instances, escalate to authorized counsel earlier than knowledge is disclosed.
Contractual readability: Replace buyer contracts and provider phrases to mirror DUAA rights and obligations, decreasing ambiguity in disputes.
Board oversight: Guarantee senior administration visibility of Sensible Information compliance, given the reputational dangers of early enforcement motion.
Automated decision-making and civil legal responsibility
DUAA replaces the inflexible Article 22 UK GDPR ban with a extra permissive framework. Automated decision-making (ADM) is now lawful in additional eventualities, offered safeguards exist. However this loosening truly heightens litigation dangers:
Danger
Regulatory danger: The ICO can positive organisations as much as 4% of world turnover for failures in ADM safeguards.
Civil litigation: People denied jobs, loans, or insurance coverage cowl by automated methods could sue for damages, arguing a scarcity of “significant human involvement.”
Equality legislation publicity: Biased algorithms in HR or monetary companies might result in oblique discrimination claims underneath the Equality Act 2010.
Mitigation
Bias audits: Run algorithmic influence assessments (akin to Information Safety Impression Assessments) that explicitly test for discriminatory outcomes.
Human-in-the-loop protocols: Require human overview of any resolution producing authorized or equally vital results. Doc the method rigorously.
Transparency obligations: Replace privateness notices to elucidate how automated selections are reached, and supply clear attraction mechanisms.
Testing and redress: Pilot ADM methods internally earlier than dwell rollout, and keep a fast-track complaints course of for affected people.
Goal limitation and “appropriate” re-use
One in all DUAA’s extra business-friendly reforms is clarifying when private knowledge could also be reused for brand new functions. But, this flexibility carries danger:
Danger
Over-expansion: Organisations could incorrectly deal with new processing as “appropriate,” significantly the place industrial motives are concerned.
Particular class pitfalls: Reusing delicate knowledge with out satisfying a Schedule 1 DPA 2018 situation exposes organisations to illegal processing claims.
Satellite tv for pc litigation: Rivals, prospects, or marketing campaign teams could use strategic litigation to check the boundaries of DUAA’s compatibility framework.
Mitigation
Compatibility registers: Doc each occasion of additional processing, figuring out lawful bases and safeguards.
Authorized sign-off for particular class knowledge: Require DPO or counsel approval earlier than reusing well being, biometric, or belief-based knowledge.
Conservative software: If doubtful, search consent or depend on a contemporary lawful foundation reasonably than stretching “appropriate” too far.
ICO engagement: Monitor ICO steerage on appropriate functions and align insurance policies rapidly because the regulator clarifies the gray zones.
ICO enforcement and compliance interviews
Maybe DUAA’s most speedy operational menace shouldn’t be novel rights or obligations, however the ICO’s strengthened enforcement toolkit:
Danger
Compliance interviews: Organisations can now be compelled to ship DPOs or executives to interviews, with legal legal responsibility for misstatements.
Fines escalation: Penalties underneath PECR are aligned with UK GDPR ranges, which means as much as 4% of world turnover.
Reputational fallout: ICO investigations are sometimes publicised, creating model injury even earlier than findings are concluded.
Mitigation
Interview readiness: Practice senior workers in regulatory interview protocols. Deal with them as formal, high-risk proceedings akin to FCA interviews in monetary companies.
Governance constructions: Preserve a “single supply of fact” for knowledge governance insurance policies, making certain consistency throughout all regulatory disclosures.
Monetary provisioning: Contemplate constructing regulatory fines and litigation contingencies into danger registers and insurance coverage protection.
Proactive engagement: Voluntary engagement with the ICO on rising compliance challenges can soften enforcement danger.
Rising litigation and reputational hurt
DUAA creates new personal legislation causes of motion and strengthens previous ones. These instances are prone to entice vital publicity, particularly as marketing campaign teams search “check instances” to outline DUAA’s boundaries.
Danger
People can sue for damages arising from illegal automated selections.
Rivals could litigate over misuse of shared knowledge.
Shopper teams could goal unfair refusals of entry or hidden ADM bias.
Mitigation
Early dispute decision: Set up fast-track ADR (various dispute decision) choices for buyer complaints earlier than disputes escalate.
Insurance coverage protection: Overview present D&O and cyber insurance policies to make sure they cowl DUAA-related claims.
Reputational planning: Put together communication methods for dealing with regulatory scrutiny or civil claims within the media highlight.
What to do now: DUAA short-term compliance guidelines
Audit your knowledge entry processes
- Map out the way you deal with incoming knowledge entry requests.
- Construct triage procedures to validate legitimacy and log refusals or disclosures.
- Replace buyer and provider contracts to mirror DUAA rights and obligations.
Strengthen Automated Choice-Making (ADM) safeguards
- Conduct algorithmic bias and equity audits.
- Implement “human-in-the-loop” overview for any vital ADM selections.
- Revise privateness notices to elucidate automated selections and supply attraction routes.
Handle additional processing and reuse
- Create a compatibility register documenting lawful bases for all secondary makes use of.
- Require DPO/authorized sign-off earlier than reusing particular class knowledge.
- Use consent or new lawful bases the place compatibility is unsure.
Put together for ICO enforcement powers
- Practice senior workers on easy methods to deal with compliance interviews.
- Preserve a single, correct governance document for all knowledge insurance policies.
- Overview insurance coverage insurance policies and provision for potential fines or disputes.
Anticipate litigation and reputational dangers
- Set up ADR or fast-track decision for buyer complaints.
- Develop a communications plan for dealing with ICO investigations or civil claims.
- Monitor ICO steerage and sector case legislation to adapt insurance policies rapidly.
Be a part of our free webinar on what’s modified in UK knowledge safety on 10 September 2025 at 12pm UK time
The Information (Use and Entry) Act 2025 (DUAA) is greater than a technical modification to UK knowledge legislation. It’s a structural shift in how companies deal with, share, and reuse info. Whereas framed as a driver of innovation and competitors, DUAA introduces sharper compliance calls for, contemporary litigation dangers, and expanded enforcement powers for the Data Commissioner’s Workplace (ICO).
For organisations, the speedy hazard lies not within the long-term structure of Sensible Information schemes or digital identification frameworks, however within the gray zones of implementation, the place disputes, penalties, and claims will come up first.
VinciWorks has recognized a 16,000% month-on-month improve in Google searches for “Information Use and Entry Act” in June 2025, the month the laws grew to become legislation on 19 June. This spike highlights how critically UK organisations are taking the modifications to knowledge safety legislation.
In apply, DUAA compliance might be judged not simply on written insurance policies however on the credibility of processes underneath stress, whether or not that be in a compliance interview, a discrimination declare, or the courtroom of public opinion. For companies, the strategic alternative is obvious: deal with DUAA not as a technical tweak to GDPR, however as a new compliance regime requiring early, seen funding. Those that achieve this will mitigate danger, keep away from expensive disputes, and place themselves to grab the Act’s supposed upside: knowledge innovation.
Sensible knowledge schemes and entry disputes
Sensible Information schemes that are initially voluntary, however will quickly be necessary in sure sectors, are designed to permit prospects and authorised third events entry to utilization, pricing, and efficiency knowledge. However the very act of opening datasets creates vulnerabilities:
Danger
Wrongful refusals: If a enterprise denies entry to a authentic request, it dangers enforcement motion or civil claims.
Over-disclosure: Conversely, disclosing commercially delicate or private knowledge to an unauthorised occasion might set off breach of confidence, contractual disputes, or UK GDPR violations.
ICO enforcement: The regulator now has necessary compliance interview powers, backed by legal legal responsibility for false statements.
Mitigation
Entry request triage: Construct a devoted workflow just like DSAR procedures that flags, validates, and information each incoming request.
Authorized overview checkpoints: For borderline instances, escalate to authorized counsel earlier than knowledge is disclosed.
Contractual readability: Replace buyer contracts and provider phrases to mirror DUAA rights and obligations, decreasing ambiguity in disputes.
Board oversight: Guarantee senior administration visibility of Sensible Information compliance, given the reputational dangers of early enforcement motion.
Automated decision-making and civil legal responsibility
DUAA replaces the inflexible Article 22 UK GDPR ban with a extra permissive framework. Automated decision-making (ADM) is now lawful in additional eventualities, offered safeguards exist. However this loosening truly heightens litigation dangers:
Danger
Regulatory danger: The ICO can positive organisations as much as 4% of world turnover for failures in ADM safeguards.
Civil litigation: People denied jobs, loans, or insurance coverage cowl by automated methods could sue for damages, arguing a scarcity of “significant human involvement.”
Equality legislation publicity: Biased algorithms in HR or monetary companies might result in oblique discrimination claims underneath the Equality Act 2010.
Mitigation
Bias audits: Run algorithmic influence assessments (akin to Information Safety Impression Assessments) that explicitly test for discriminatory outcomes.
Human-in-the-loop protocols: Require human overview of any resolution producing authorized or equally vital results. Doc the method rigorously.
Transparency obligations: Replace privateness notices to elucidate how automated selections are reached, and supply clear attraction mechanisms.
Testing and redress: Pilot ADM methods internally earlier than dwell rollout, and keep a fast-track complaints course of for affected people.
Goal limitation and “appropriate” re-use
One in all DUAA’s extra business-friendly reforms is clarifying when private knowledge could also be reused for brand new functions. But, this flexibility carries danger:
Danger
Over-expansion: Organisations could incorrectly deal with new processing as “appropriate,” significantly the place industrial motives are concerned.
Particular class pitfalls: Reusing delicate knowledge with out satisfying a Schedule 1 DPA 2018 situation exposes organisations to illegal processing claims.
Satellite tv for pc litigation: Rivals, prospects, or marketing campaign teams could use strategic litigation to check the boundaries of DUAA’s compatibility framework.
Mitigation
Compatibility registers: Doc each occasion of additional processing, figuring out lawful bases and safeguards.
Authorized sign-off for particular class knowledge: Require DPO or counsel approval earlier than reusing well being, biometric, or belief-based knowledge.
Conservative software: If doubtful, search consent or depend on a contemporary lawful foundation reasonably than stretching “appropriate” too far.
ICO engagement: Monitor ICO steerage on appropriate functions and align insurance policies rapidly because the regulator clarifies the gray zones.
ICO enforcement and compliance interviews
Maybe DUAA’s most speedy operational menace shouldn’t be novel rights or obligations, however the ICO’s strengthened enforcement toolkit:
Danger
Compliance interviews: Organisations can now be compelled to ship DPOs or executives to interviews, with legal legal responsibility for misstatements.
Fines escalation: Penalties underneath PECR are aligned with UK GDPR ranges, which means as much as 4% of world turnover.
Reputational fallout: ICO investigations are sometimes publicised, creating model injury even earlier than findings are concluded.
Mitigation
Interview readiness: Practice senior workers in regulatory interview protocols. Deal with them as formal, high-risk proceedings akin to FCA interviews in monetary companies.
Governance constructions: Preserve a “single supply of fact” for knowledge governance insurance policies, making certain consistency throughout all regulatory disclosures.
Monetary provisioning: Contemplate constructing regulatory fines and litigation contingencies into danger registers and insurance coverage protection.
Proactive engagement: Voluntary engagement with the ICO on rising compliance challenges can soften enforcement danger.
Rising litigation and reputational hurt
DUAA creates new personal legislation causes of motion and strengthens previous ones. These instances are prone to entice vital publicity, particularly as marketing campaign teams search “check instances” to outline DUAA’s boundaries.
Danger
People can sue for damages arising from illegal automated selections.
Rivals could litigate over misuse of shared knowledge.
Shopper teams could goal unfair refusals of entry or hidden ADM bias.
Mitigation
Early dispute decision: Set up fast-track ADR (various dispute decision) choices for buyer complaints earlier than disputes escalate.
Insurance coverage protection: Overview present D&O and cyber insurance policies to make sure they cowl DUAA-related claims.
Reputational planning: Put together communication methods for dealing with regulatory scrutiny or civil claims within the media highlight.
What to do now: DUAA short-term compliance guidelines
Audit your knowledge entry processes
- Map out the way you deal with incoming knowledge entry requests.
- Construct triage procedures to validate legitimacy and log refusals or disclosures.
- Replace buyer and provider contracts to mirror DUAA rights and obligations.
Strengthen Automated Choice-Making (ADM) safeguards
- Conduct algorithmic bias and equity audits.
- Implement “human-in-the-loop” overview for any vital ADM selections.
- Revise privateness notices to elucidate automated selections and supply attraction routes.
Handle additional processing and reuse
- Create a compatibility register documenting lawful bases for all secondary makes use of.
- Require DPO/authorized sign-off earlier than reusing particular class knowledge.
- Use consent or new lawful bases the place compatibility is unsure.
Put together for ICO enforcement powers
- Practice senior workers on easy methods to deal with compliance interviews.
- Preserve a single, correct governance document for all knowledge insurance policies.
- Overview insurance coverage insurance policies and provision for potential fines or disputes.
Anticipate litigation and reputational dangers
- Set up ADR or fast-track decision for buyer complaints.
- Develop a communications plan for dealing with ICO investigations or civil claims.
- Monitor ICO steerage and sector case legislation to adapt insurance policies rapidly.
