Audits, Enforcement, and Penalties Under the DUAA — What Companies Need to Know
The Data Use and Access Act 2025 (DUAA) introduces a new regulatory framework for how companies share and re-use data. But it doesn’t stop at rules — the Act brings real consequences for organisations that fail to comply. This post outlines how audits are conducted, what enforcement powers exist, and the types of penalties businesses may face.
🕵️♀️ How DUAA Audits Work
The DUAA gives regulators the authority to conduct audits to ensure compliance with data sharing and access obligations. These audits may be:
- Proactive: Scheduled assessments of organisations in high-risk sectors or those handling large data volumes
- Reactive: Triggered by complaints, data breaches, or tip-offs from whistleblowers or partners
During an audit, regulators may request:
- Copies of Access Arrangements
- Data Use Impact Assessments (DUIAs)
- Records of data flows, recipients, and internal approvals
- Security policies and logs of data access
⚖️ Enforcement Powers
Regulators under the DUAA have broad powers to enforce compliance, including:
- Issuing enforcement notices requiring remediation within a defined period
- Suspending or restricting data sharing where serious non-compliance is found
- Publishing breaches on a public register of DUAA non-compliance
Enforcement is not just about punishment — it’s about improving practices and protecting data subjects from harm. However, companies that ignore warnings may face serious sanctions.
💸 Penalties and Fines
Where enforcement action is necessary, the DUAA allows for penalties based on severity, intent, and cooperation level. Fines can be significant:
- Up to £10 million or 2% of annual global turnover — whichever is higher — for serious breaches
- Lower-tier penalties for procedural or documentation failures (e.g. missing Access Arrangements)
Unlike the UK GDPR, DUAA penalties may apply even when personal data is not directly involved — for example, if you re-use anonymised data in an unauthorised high-risk application.
🛡️ Steps to Prepare
- Keep all DUAA documentation up to date — especially Access Arrangements and DUIAs
- Regularly review third-party data use and sharing activity
- Establish a DUAA audit readiness plan, just as you would for financial audits
💡 Tip:
Nominate a DUAA compliance lead in your organisation, especially if you handle complex or cross-sector data flows. This internal champion can centralise oversight and support future audits.
