Audits, Enforcement, and Penalties Under the DUAA — What Companies Need to Know

The Data Use and Access Act 2025 (DUAA) introduces a new regulatory framework for how companies share and re-use data. But it doesn’t stop at rules — the Act brings real consequences for organisations that fail to comply. This post outlines how audits are conducted, what enforcement powers exist, and the types of penalties businesses may face.

🕵️‍♀️ How DUAA Audits Work

The DUAA gives regulators the authority to conduct audits to ensure compliance with data sharing and access obligations. These audits may be:

  • Proactive: Scheduled assessments of organisations in high-risk sectors or those handling large data volumes
  • Reactive: Triggered by complaints, data breaches, or tip-offs from whistleblowers or partners

During an audit, regulators may request:

  • Copies of Access Arrangements
  • Data Use Impact Assessments (DUIAs)
  • Records of data flows, recipients, and internal approvals
  • Security policies and logs of data access

⚖️ Enforcement Powers

Regulators under the DUAA have broad powers to enforce compliance, including:

  • Issuing enforcement notices requiring remediation within a defined period
  • Suspending or restricting data sharing where serious non-compliance is found
  • Publishing breaches on a public register of DUAA non-compliance

Enforcement is not just about punishment — it’s about improving practices and protecting data subjects from harm. However, companies that ignore warnings may face serious sanctions.

💸 Penalties and Fines

Where enforcement action is necessary, the DUAA allows for penalties based on severity, intent, and cooperation level. Fines can be significant:

  • Up to £10 million or 2% of annual global turnover — whichever is higher — for serious breaches
  • Lower-tier penalties for procedural or documentation failures (e.g. missing Access Arrangements)

Unlike the UK GDPR, DUAA penalties may apply even when personal data is not directly involved — for example, if you re-use anonymised data in an unauthorised high-risk application.

🛡️ Steps to Prepare

  • Keep all DUAA documentation up to date — especially Access Arrangements and DUIAs
  • Regularly review third-party data use and sharing activity
  • Establish a DUAA audit readiness plan, just as you would for financial audits

💡 Tip:

Nominate a DUAA compliance lead in your organisation, especially if you handle complex or cross-sector data flows. This internal champion can centralise oversight and support future audits.

Similar Posts