1 of 6: What Is the Data Use and Access Act 2025 (DUAA)?

The Data Use and Access Act 2025 (DUAA) is a landmark UK law that regulates access, sharing, and processing of data across sectors. Learn what DUAA is and how it complements GDPR.

The Data Use and Access Act 2025 (DUAA) is a new UK legal framework designed to regulate how organisations access, share, and use personal and non-personal data. Building on the foundations of the UK GDPR and the Data Protection Act 2018, the DUAA aims to bring clarity and legal certainty to modern data use — especially for cross-sector and public-private data flows.

🔍 Why Was the DUAA Introduced?

While the UK GDPR remains the cornerstone of individual data protection rights, it was never designed to address the growing demand for controlled, lawful data sharing between organisations. The DUAA fills that gap by:

• Clarifying the legal basis for sharing data between sectors
• Creating oversight structures for high-risk data access agreements
• Facilitating data use in the public interest (e.g. research, innovation, public safety)

In short, DUAA is intended to support data-driven innovation, while reinforcing public trust through transparency, accountability, and stronger governance.

🏛️ How DUAA Relates to UK GDPR

It’s important to understand that the DUAA does not replace the UK GDPR. Instead, it operates alongside it, focusing more on the conditions and controls for data access and re-use — especially where multiple organisations are involved.

For example, under DUAA, an organisation may enter into a Data Access Arrangement (DAA) when sharing data with another party, subject to governance, auditability, and approval requirements depending on the sensitivity or risk level.

⚠️ Who Needs to Pay Attention?

The DUAA applies to a wide range of sectors, but is particularly relevant to:

• Companies handling sensitive or high-volume data
• Public sector bodies and regulators
• Professional services firms advising on data strategy or compliance
• Risk, compliance, and data governance teams

💡 Tip:

Don’t assume that GDPR compliance means you’re covered under DUAA. Start by identifying where your organisation shares data with third parties, especially in multi-agency or cross-border contexts. Those are likely to be in DUAA scope.