Short answer: The Data Use and Access Act 2025 (DUAA) will reshape how public bodies and private companies collect, share, and protect data. It’s about trust, transparency, and accountability — not just technology. To comply, your organisation needs a clear understanding of what data you hold, where it lives, and who has access to it.
What is the Data Use and Access Act 2025?
The DUAA is a new data legislation and part of the UK government’s ambition to unlock the value of data while maintaining public trust. It’s designed to make data sharing between the public and private sectors safer, fairer, and more consistent — especially when it comes to research, innovation, and public service delivery.In practice, the Act builds on the principles of UK GDPR and the National Data Strategy, focusing on:
-
Responsible data access and use across sectors.
-
Clear governance for when, how, and why data can be shared.
-
Transparency and accountability, so citizens know their data is handled properly.
Studies show that almost 50% of UK companies have experienced a cyber attack
- www.gov.uk
Why DUAA matters for your company
For both public bodies and private organisations, the DUAA is more than just another data law. It introduces new expectations for data stewardship — requiring stronger controls, clearer documentation, and demonstrable accountability across every data process. You’ll be expected to:
-
Demonstrate why and how data is shared or accessed externally.
-
Maintain accurate records of access, processing, and sharing activities.
-
Protect and classify sensitive data consistently across systems and teams.
-
Enable lawful and ethical data sharing that supports innovation, efficiency, and public trust.
In other words: DUAA compliance isn’t only about protection — it’s about building confidence in how data is managed and used across all sectors.
Need help managing personal data?
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
How to comply with the Data Use and Access Act in practice
Meeting the DUAA requirements doesn’t happen overnight — but it’s manageable with a structured approach. Here’s how your company can prepare step by step:
1. Map your data landscape
Identify all data assets across departments and systems. Include shared drives, archives, and cloud storage.
2. Classify and label sensitive data
Distinguish between personal, confidential, and non-sensitive data. This helps define what can (and cannot) be shared.
3. Define lawful purposes for access and sharing
Ensure every data-sharing activity has a documented purpose, a lawful basis, and a clear governance owner.
4. Update data sharing agreements
Review existing contracts and sharing frameworks to align with DUAA’s accountability requirements. The ICO provides official guidance on data sharing
5. Monitor access and maintain audit trails
Implement systems that log who accesses data, when, and for what reason — essential for DUAA compliance and transparency.
6. Train your teams
Ensure that data owners, IG officers, and operational staff understand what DUAA means for their day-to-day work.
7. Review regularly
DUAA compliance is not a one-off exercise. Regular data scans and governance reviews keep your organisation compliant and ready for audit.
These steps align with good information governance practice and give you a strong foundation before the Act comes fully into effect.
The practical challenge: knowing your data
Most companies already manage vast amounts of data — spread across systems, departments, and shared drives. That’s where compliance gets complicated. Common challenges include:
-
Unstructured data stored in files, folders, and emails.
-
Sensitive information mixed with general operational data.
-
Unclear ownership and retention practices.
-
Limited visibility into who has access to what.
DUAA compliance starts with visibility. If you don’t know what you hold, you can’t govern, protect, or share it responsibly.
FAQ on DUAA
1. Does DUAA replace GDPR?
No. DUAA complements UK GDPR and other data protection laws. It focuses on how data is accessed and shared, not on the core principles of data protection.
2. Which public bodies are covered by DUAA?
All public authorities that hold, share, or use data for public functions or partnerships — including local councils, NHS organisations, and regulatory agencies.
3. How can local authorities prepare for DUAA?
Start by mapping and classifying your data holdings. Identify sensitive or personal data and ensure access controls are in place. Tools like DataMapper make this process fast and automated.
4. What’s the difference between DUAA and the Data Protection and Digital Information Bill?
The Digital Information Bill focuses on reforming data protection rules. DUAA focuses on how public and private sectors share and access data responsibly.
The smart way to comply with DUAA
Before you can comply with DUAA — or any data regulation — you need to know what data you actually hold. At Safe Online we offer a GDPR Risk Assessment which gives you that overview. The scan entails scanning your systems, identifies sensitive content, and showing you where your biggest risks are. You’ll get a clear report that answers:
-
How much GDPR data you have
-
What types of sensitive data you store
-
Who or what poses the highest data risk
-
How to reduce that risk effectively
Read more
Sebastian Allerelli
Founder & COO at Safe Online
Sebastian is the co-founder and COO of Safe Online, where he focuses on automating processes and developing innovative solutions within data protection and compliance. With a background from Copenhagen Business Academy and experience within identity and access management, he has a keen understanding of GDPR and data security. As a writer on Safe Online's Knowledge Hub, Sebastian shares his expertise through practical advice and in-depth analysis that help companies navigate the complex GDPR landscape. His posts combine technical insight with business understanding and provide concrete solutions for effective compliance.
