The Data Use and Access Act (DUAA) has been designed to promote innovation and economic growth by simplifying data access and its uses – all while strengthening consumer protection.
The Data Use and Access Bill took effect and became an Act in August 2025, with plans for a phased introduction to run until June 2026.
Yet, despite this phased approach, if organisations want to reap the benefits of the Act they must take note now. Let’s have a look at four things business leaders need to know about the DUAA.
1. Smart Data Schemes
The government will unveil new Smart Data Schemes as a part of the Act’s rollout. Open Banking – a secure system which enables financial data to be shared between customers and authorised third-party providers – was the first scheme of this kind. And it’s already driving results. For example, one bank was able to reduce the time needed for mortgage applications from 90 minutes to just 15 minutes using open banking, Sales Cloud and Service Cloud.
The schemes – as part of the DUAA – will work in tandem with the act to enable businesses to securely share customers’ data with authorised third parties (ATPs). These verified, third-party providers can use the data to customise product and service offerings, much like an algorithm suggesting content on social media. The schemes also give power back to consumers, as they have more control over their own data, deciding whether or not to share it with ATPs.
2. Simplified subject access
The DUAA amends – but doesn’t replace – the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR)..
Subject access requests (also known as the right of access) give consumers the right to ask for a copy of their personal data and other related information. The DUAA is making the time limits for organisations to respond to subject access requests clearer with a “stop the clock” rule — allowing them to pause response times if more information from the requestor is needed. The DUAA also allows for a more business-friendly approach to conducting the searches associated with these requests, now permitting businesses to conduct ‘reasonable and proportionate’ searches to fulfill these requests.
3. ‘Recognised Legitimate Interests’
The Act introduces a new concept called ‘recognised legitimate interests.’ When an organisation uses personal information for certain recognised interests — such as crime prevention, safeguarding, or responding to emergencies — it often does so using the legal basis of ‘legitimate interest’, a legal basis that requires a balancing test of interests in order to be utilised. DUAA removes the requirement to perform a detailed balancing test based on the statutory fixed list of ‘recognised legitimate interests’.
This change is designed to directly impact businesses by giving them greater confidence in how they process and share personal data for specific purposes. That means businesses can leverage more streamlined process to use personal data in specific circumstances. For example, when protecting public security, an organisation can now process data with more clarity and less administrative burden.
4. Digital Verification Services
The new framework for Digital Verification Services allows businesses to rely on certified digital identity services instead of just physical documents. This change makes it easier and more secure for companies to verify a person’s identity or attributes, such as age or professional qualifications.
By using a trust framework, businesses can streamline processes like onboarding new customers or employees. This reduces friction and makes transactions quicker and more secure without the need for physical documents to be handled.
Plus, businesses that provide digital identity and verification services now have a clear path to get certified and offer their services to a wider market. This creates a new, regulated space for innovation within the digital identity sector.
Opportunities for innovation
The DUAA presents an opportunity: for businesses to get ahead by innovating, increasing productivity, and using AI to make automated decisions. It’s about helping organisations improve, not about imposing limitations.
The regulation has been designed to help organisations activate data to its full potential, safely and securely. But it’s only by knowing and applying these changes effectively that organisations can make the most of the renewed push for innovation.
Compliance engineered for the Cloud
Discover how to manage a complete set of compliance certifications and attestations with compliance engineered for the Cloud.
