5 of 6: High-Risk Data Uses Under the DUAA — What Triggers Extra Oversight?

ByPrivacyiQ 16 July 202511 July 2025

Not all data use is equal under the DUAA. Learn how high-risk uses—like AI, profiling, and sensitive data handling—trigger stricter obligations and oversight.

The Data Use and Access Act 2025 (DUAA) introduces a risk-based approach to data governance. Certain types of data use are considered high-risk and require additional scrutiny, documentation, and oversight. Understanding what qualifies as high-risk is essential for any company planning to share or re-use data under DUAA.

🚩 What Is “High-Risk” Use Under the DUAA?

DUAA does not use a fixed list of activities that are always considered high-risk. Instead, it relies on context and potential impact. However, the following activities are commonly flagged for enhanced governance:

AI model training using personal or pseudonymised data
Profiling or behavioural analysis for recruitment, credit, or insurance purposes
Sharing sensitive personal data (e.g. health, ethnicity, biometrics)
Cross-sector or international data flows with unclear accountability
Automated decision-making with legal or significant effects on individuals

📋 DUAA Requirements for High-Risk Uses

If your organisation is involved in high-risk data activities, you must go beyond standard GDPR practices. Under DUAA, you may be required to:

Conduct a Data Use Impact Assessment (DUIA), similar to a DPIA
Notify or consult with relevant regulatory bodies
Obtain higher-tier approvals internally before sharing data
Document all processing purposes, legal bases, and safeguards in an Access Arrangement
Establish regular audit or reporting mechanisms for ongoing use

⚠️ Example: High-Risk in Recruitment Analytics

Say a company uses data on past applicants to train an AI model that predicts candidate success. Even if the data is pseudonymised, the model’s outcomes could influence real hiring decisions. This triggers high-risk status under DUAA due to:

Use of AI in decision-making
Potential bias or discrimination risks
Indirect effects on individuals’ opportunities

In this case, a Data Use Impact Assessment, an enhanced Access Arrangement, and clear purpose limits would be mandatory.

🔍 How Is This Different from GDPR?

While the UK GDPR (Article 35) also mandates Data Protection Impact Assessments (DPIAs), the DUAA widens the net by applying to both personal and non-personal data, and by emphasising organisational accountability even where individuals are not directly identifiable.

💡 Tip:

Maintain a risk register of all data uses in your organisation. Flag any activity involving AI, profiling, or sensitive categories for DUAA review. This will help you stay proactive and prevent non-compliance in high-risk areas.

Bright square and speech bubble sign with motivational quotes about mistakes and learning.

DPIA | DPIA Fundamentals

Top 5 Mistakes Companies Make in DPIAs

ByPrivacyiQ 19 June 202517 June 2025

Avoid these common pitfalls and improve the effectiveness of your DPIA process. Top 5 Mistakes Companies Make in DPIAs Even experienced teams stumble with DPIAs. Here are the most common issues we see: A weak DPIA leaves you exposed. Privacy IQ ensures your assessments are tailored, actionable, and regulator-ready.

DPIA | DPIA Fundamentals

When Is a Data Protection Impact Assessment (DPIA) Required?

ByPrivacyiQ 16 June 2025

Not sure when you need to carry out a DPIA? Here’s how professional services firms can stay compliant and reduce risk. Data Protection Impact Assessments (DPIAs) are a legal requirement under the UK GDPR when processing is likely to result in a high risk to individuals’ rights and freedoms. Common DPIA Triggers in Professional Services…

Data Use and Access Act

2 of 6: Key Definitions and Scope of the Data Use and Access Act 2025 (DUAA)

ByPrivacyiQ 12 July 202511 July 2025

Understanding the DUAA starts with the basics. Learn the key definitions—like data user, data provider, access agreement—and the scope of the Data Use and Access Act 2025. The Data Use and Access Act 2025 (DUAA) introduces new terminology and a legal framework that complements existing UK data protection law. To stay compliant, organisations must understand…

Confident woman smiling with boxing gloves and 'be brave' shirt, showcasing empowerment.

DPIA | DPIA Fundamentals

Who Should Sign Off a DPIA?

ByPrivacyiQ 24 June 202518 June 2025

DPIAs aren’t complete until they’re approved — but who’s responsible for sign-off? A DPIA is a formal risk document. It needs input and ownership from the right people: If high risks can’t be mitigated, you may need to consult the ICO before proceeding. Privacy IQ guides teams through sign-off and escalation smoothly.

DPIA | DPIA Fundamentals

Using DPIAs to Improve Decision-Making

ByPrivacyiQ 23 June 202517 June 2025

Go beyond compliance. DPIAs can inform better, more transparent business decisions. DPIAs aren’t just regulatory paperwork — they’re decision-support tools. When used early, they help teams: By identifying blind spots, DPIAs make your business smarter. Privacy IQ helps clients embed DPIAs into every strategic step — not just the risk register.

Automated Decision Making | Data Subject Rights

4 of 5: When Can You Use Automated Decision-Making? Legal Bases and Safeguards Explained

ByPrivacyiQ 25 July 202524 July 2025

UK GDPR Article 22 restricts automated decisions — but there are exceptions. Learn when you can use automation lawfully and what safeguards you must have in place. Article 22 of the UK GDPR generally prohibits companies from making decisions based solely on automated processing that have a significant or legal effect on individuals. However, there…

🚩 What Is “High-Risk” Use Under the DUAA?

📋 DUAA Requirements for High-Risk Uses

⚠️ Example: High-Risk in Recruitment Analytics

🔍 How Is This Different from GDPR?

💡 Tip:

Similar Posts