6 of 6: Audits, Enforcement, and Penalties Under the DUAA — What Companies Need to Know

Non-compliance with the DUAA can lead to fines, audits, and reputational damage. Learn how enforcement works, what to expect in an audit, and how to avoid penalties.

The Data Use and Access Act 2025 (DUAA) introduces a new regulatory framework for how companies share and re-use data. But it doesn’t stop at rules — the Act brings real consequences for organisations that fail to comply. This post outlines how audits are conducted, what enforcement powers exist, and the types of penalties businesses may face.

🕵️‍♀️ How DUAA Audits Work

The DUAA gives regulators the authority to conduct audits to ensure compliance with data sharing and access obligations. These audits may be:

• Proactive: Scheduled assessments of organisations in high-risk sectors or those handling large data volumes
• Reactive: Triggered by complaints, data breaches, or tip-offs from whistleblowers or partners

During an audit, regulators may request:

• Copies of Access Arrangements
• Data Use Impact Assessments (DUIAs)
• Records of data flows, recipients, and internal approvals
• Security policies and logs of data access

⚖️ Enforcement Powers

Regulators under the DUAA have broad powers to enforce compliance, including:

• Issuing enforcement notices requiring remediation within a defined period
• Suspending or restricting data sharing where serious non-compliance is found
• Publishing breaches on a public register of DUAA non-compliance

Enforcement is not just about punishment — it’s about improving practices and protecting data subjects from harm. However, companies that ignore warnings may face serious sanctions.

💸 Penalties and Fines

Where enforcement action is necessary, the DUAA allows for penalties based on severity, intent, and cooperation level. Fines can be significant:

• Up to £10 million or 2% of annual global turnover — whichever is higher — for serious breaches
• Lower-tier penalties for procedural or documentation failures (e.g. missing Access Arrangements)

Unlike the UK GDPR, DUAA penalties may apply even when personal data is not directly involved — for example, if you re-use anonymised data in an unauthorised high-risk application.

🛡️ Steps to Prepare

• Keep all DUAA documentation up to date — especially Access Arrangements and DUIAs
• Regularly review third-party data use and sharing activity
• Establish a DUAA audit readiness plan, just as you would for financial audits

💡 Tip:

Nominate a DUAA compliance lead in your organisation, especially if you handle complex or cross-sector data flows. This internal champion can centralise oversight and support future audits.