4 of 6: What Is a DUAA Access Arrangement and When Do You Need One?

ByPrivacyiQ

An Access Arrangement under the DUAA is a legal requirement for many data-sharing activities. Find out when your company needs one and what it must include.

One of the cornerstones of the Data Use and Access Act 2025 (DUAA) is the concept of an Access Arrangement. This formal document governs how data is shared and used between organisations. Getting this right is essential for companies managing data partnerships or external data processing.

đź“„ What Is a DUAA Access Arrangement?

An Access Arrangement is a contract or written agreement that sets out the legal, technical, and governance terms for data sharing under the DUAA. It must include key information such as:

  • The type and classification of data being shared
  • The identity and role of each party (data provider / data user)
  • The lawful basis for sharing under UK GDPR
  • Specific purposes for use and any usage limitations
  • Retention period and data destruction requirements
  • Audit, breach reporting, and oversight provisions

đź•’ When Is an Access Arrangement Required?

Under the DUAA, an Access Arrangement is required when:

  • Data is shared between separate legal entities or departments for re-use
  • The use case is classified as high-risk (e.g. AI training, profiling, sensitive data)
  • The data transfer involves automated decision-making or international recipients
  • The data subject would not reasonably expect the sharing or use

Even if the data is pseudonymised, DUAA may still require an Access Arrangement due to its risk-based approach.

⚖️ DUAA vs UK GDPR Contracts

Many companies already use data processing agreements (DPAs) under GDPR. But Access Arrangements go further — they cover data access, purpose boundaries, risk controls, and shared governance, not just processor-controller roles.

Think of Access Arrangements as an additional layer of legal clarity and governance, tailored for complex or high-value data-sharing scenarios.

đź’Ľ Practical Example

A recruitment consultancy shares candidate analytics data with an AI vendor building a skills prediction model. Although a DPA may be in place, the DUAA would require an Access Arrangement to define how long the data can be used, what outcomes are permitted, and how the vendor’s use is audited.

đź’ˇ Tip:

Don’t rely solely on DPAs. If you’re sharing or receiving data outside typical processor relationships, assess whether a DUAA Access Arrangement is needed. Start by reviewing your top 10 data partnerships by volume or risk.

Similar Posts

4 of 5: When Can You Use Automated Decision-Making? Legal Bases and Safeguards Explained
|

4 of 5: When Can You Use Automated Decision-Making? Legal Bases and Safeguards Explained

ByPrivacyiQ

UK GDPR Article 22 restricts automated decisions — but there are exceptions. Learn when you can use automation lawfully and what safeguards you must have in place. Article 22 of the UK GDPR generally prohibits companies from making decisions based solely on automated processing that have a significant or legal effect on individuals. However, there…

5 of 6: High-Risk Data Uses Under the DUAA — What Triggers Extra Oversight?
| |

5 of 6: High-Risk Data Uses Under the DUAA — What Triggers Extra Oversight?

ByPrivacyiQ

Not all data use is equal under the DUAA. Learn how high-risk uses—like AI, profiling, and sensitive data handling—trigger stricter obligations and oversight. The Data Use and Access Act 2025 (DUAA) introduces a risk-based approach to data governance. Certain types of data use are considered high-risk and require additional scrutiny, documentation, and oversight. Understanding what…

3 of 6: Obligations for Data Providers and Data Users under the DUAA

3 of 6: Obligations for Data Providers and Data Users under the DUAA

ByPrivacyiQ

The DUAA introduces specific duties for data providers and data users. Learn what your obligations are and how to structure compliant access arrangements and audits. Under the Data Use and Access Act 2025 (DUAA), organisations must meet specific legal and governance obligations based on their role as either a data provider or a data user….

1 of 5: Understanding the Right to Object Under UK GDPR (Article 21)
|

1 of 5: Understanding the Right to Object Under UK GDPR (Article 21)

ByPrivacyiQ

The UK GDPR grants individuals the right to object to certain types of data processing. Learn what Article 21 means for your company and how to stay compliant. Companies today rely on data to drive decision-making, marketing, and operational efficiency. But under the UK General Data Protection Regulation (UK GDPR), individuals have the right to…

3 of 5: What Article 22 Says About Automated Decisions — and Why It Matters
|

3 of 5: What Article 22 Says About Automated Decisions — and Why It Matters

ByPrivacyiQ

Article 22 of the UK GDPR restricts fully automated decisions that impact individuals. Understand what this means for AI, recruitment tools, and data-driven profiling. As companies adopt automation in everything from hiring to credit scoring, it’s vital to understand the limits imposed by Article 22 of the UK GDPR. This provision protects individuals from being…

6 of 6: Audits, Enforcement, and Penalties Under the DUAA — What Companies Need to Know

6 of 6: Audits, Enforcement, and Penalties Under the DUAA — What Companies Need to Know

ByPrivacyiQ

Non-compliance with the DUAA can lead to fines, audits, and reputational damage. Learn how enforcement works, what to expect in an audit, and how to avoid penalties. The Data Use and Access Act 2025 (DUAA) introduces a new regulatory framework for how companies share and re-use data. But it doesn’t stop at rules — the…