The employers’ guide to the Data Use and Access Act (DUAA)

While the Employment Rights Bill continues to capture headlines, a quieter but equally crucial piece of legislation, the Data (Use and Access) Act 2025 (DUAA), received Royal Assent earlier this year.

If your HR or legal team is currently drowning in complex Subject Access Requests (SARs) or struggling to keep up with the regulatory burden of legitimate interest assessments, this Act should represent a welcome development.

The Act doesn’t rip up the UK’s existing data protection law. Instead, it makes targeted, practical amendments designed to streamline processes and ease the administrative burden on employers. These changes are being phased in over the next 12 months.

Here is what really matters for employers, and what organisations should tackle right now.

1. Stop the clock on Subject Access Requests (SARs)

Employee Subject Access Requests (SARs) are becoming increasingly common and complex. In 2023, for example, the Information Commissioner’s Office received more than 15,300 complaints, representing a 13.5% increase from 2022.

SARs often causing internal panic and resource strain. This legislative change is a direct response to that pain point. What it means for organisations:

• The change: The DUAA now gives employers clear legal grounds to pause the 30-day response deadline if the employee’s request is vague, broad, or unclear. You can “stop the clock” while you wait for the requester to clarify exactly which data or processing activities they mean.
• The benefit: This is a major win for managing your time and risk. It prevents your team from having to panic-search based on an ambiguous request, ensuring you meet the deadline fairly once you have all the necessary information.
• Your action plan: Update your SAR policy immediately. Create a straightforward template for asking employees for clarification. Make sure your internal team knows exactly when and how to pause the clock, and what the deadline is once the clarification arrives.

2. The relief of ‘reasonable and proportionate’ searches

In the past, overly vague SARs sometimes felt like a demand to search every single email, spreadsheet and archived document just in case. The DUAA provides clarity here. What it means for organisations:

• The change: The Act explicitly confirms that you only have to carry out ‘reasonable and proportionate’ searches when responding to a SAR. You are no longer expected to undertake exhaustive, costly hunts for irrelevant data.
• The benefit: This gives employers relief and legal backing to be specific and targeted in their data searches. If an employee asks for “all data,” you can now more confidently document why an exhaustive, month-long search of every server is not a proportionate response.
• Your action plan: Integrate a clear assessment stage into your SAR response process. Before searching, your team should document their decision-making on what data sources will be searched and why, based on what is considered reasonable for that specific request.

3. Fewer checks for legitimate interests

Employers often rely on the ‘legitimate interests’ lawful basis for common HR activities like internal investigations, staff monitoring, and health and safety compliance. Before, this required a complicated, documented balancing test for every single activity. What it means for organisations:

• The change: The DUAA introduces a list of “recognised legitimate interests” (including crime prevention, safeguarding vulnerable people, and responding to emergencies). If your data processing falls under this list, you can skip the full balancing test.
• The benefit: For essential, low-risk HR activities, this change simplifies compliance and reduces the regulatory risk of getting your lawful basis wrong.
• Your action plan: Review the lawful basis you use for all employee data processing. For any activity that fits the new ‘recognised’ list, update your internal documentation and privacy notices to reflect this new, simpler basis. For everything else, ensure you still have a robust, documented legitimate interest assessment on file.

4. A formal internal complaints process

The new Act changes how individuals must handle data protection complaints, placing the burden of resolution on the employer first. What it means for organisations:

• The change: Employers now have statutory requirements for handling data protection complaints, including:
  • Providing an electronic or digital complaint form.
  • Acknowledging the complaint within 30 days.
  • Providing a substantive response “without undue delay.”
  • The Information Commission will only take the case if the individual is dissatisfied with your internal response.
• The benefit: By formalising the process, you have an opportunity to resolve issues internally and avoid escalation to the regulator, saving you time and potential fines down the line.
• Your action plan: Audit and update your data protection complaint policy. Create the required electronic form and put a system in place that guarantees the 30-day acknowledgement is met.

5. AI and automated decision-making

While the new Act encourages the responsible use of AI and ADM in general, it ensures crucial safeguards remain in place when it comes to decisions affecting employees. What it means for organisations:

• The change: The DUAA maintains the requirement for human oversight whenever an automated system makes a ‘significant decision’ about an employee (e.g., in recruitment or performance management), especially when special category data (like health information) is involved.
• The benefit: This clarity allows you to explore the efficiency of AI tools while maintaining a responsible, human-centric approach to key HR outcomes, mitigating the risk of regulatory breaches.
• Your action plan: If you use ADM tools for employee-related decisions, review your entire framework. You must have a Data Protection Impact Assessment (DPIA) and clearly document where human review is required, ensuring transparency with employees about how these tools are used.

Don’t wait for a SAR to land – get in touch

The DUAA represents a major opportunity to reduce compliance friction points and save your team valuable time. Now is the time to update your policies and train your team before these changes come into force.

Want to be certain your team is ready? We can review your SAR processes, deliver practical, targeted training, or carry out a full data protection audit to ensure your organisation is compliant with the DUAA changes.

Get in touch with us today.