What the UK’s New Data Protection and Digital Information Act (DUAA) Means for Businesses: Key Provisions Now in Force and What to Do Next

Sep 22, 2025

The UK government has recently enacted the first provisions of the Data Protection and Digital Information Act (DUAA) as of August 20, 2025, following its Royal Assent in June. This significant development in UK data protection law has immediate implications for organizations processing personal and sensitive data. In this blog post, we will explore the key provisions now in force, practical steps for compliance, and the impact on data protection officers.

Key Provisions of the DUAA

The DUAA introduces several important changes to the data protection landscape in the UK:

Improved Access to Business and Customer Data: Organizations now have enhanced capabilities to access and utilize business and customer data, promoting transparency and efficiency.
Clarified Rules for Processing Sensitive and Law Enforcement Data: The Act provides clearer guidelines for handling sensitive data, particularly in law enforcement, ensuring that data is processed lawfully and ethically.
Enhanced Statutory Duties and Codes of Practice for the Information Commissioner: The Information Commissioner’s Office (ICO) now has expanded responsibilities and updated codes of practice to better oversee data protection compliance.
New Requirements for Reporting on AI Systems’ Use of Copyright-Protected Works: Businesses using AI systems must now report on their use of copyright-protected materials, ensuring compliance with intellectual property laws.
Stricter Deadlines for Emergency Alerts and Data Breach Notifications: The DUAA imposes tighter deadlines for issuing emergency alerts and notifying authorities of data breaches, enhancing the responsiveness to potential data threats.

Practical Steps for Compliance

Organizations should take the following steps to align with the new DUAA requirements:

Conduct a Data Audit: Review current data processing activities to ensure they meet the new standards set by the DUAA.
Update Privacy Policies: Revise privacy policies to reflect the changes in data access and processing rules.
Train Staff: Educate employees about the new provisions and their responsibilities under the DUAA.
Implement AI Reporting Mechanisms: Establish systems to track and report the use of AI in processing copyright-protected works.
Enhance Data Breach Response Plans: Update response plans to comply with the stricter notification deadlines.

Impact on Data Protection Officers

Data Protection Officers (DPOs) will see changes in their day-to-day responsibilities, including:

Increased Oversight: With enhanced statutory duties, DPOs will need to ensure compliance with both the DUAA and existing GDPR obligations.
Focus on AI and IP Compliance: DPOs must oversee the implementation of AI reporting requirements and ensure adherence to intellectual property laws.
Proactive Risk Management: The stricter deadlines for data breach notifications require DPOs to adopt a more proactive approach to risk management.

The DUAA complements the existing GDPR framework, providing additional clarity and requirements specific to the UK context. Organizations must continue to comply with GDPR while integrating the new DUAA provisions into their data protection strategies.

Future Updates and Consultations

Businesses should stay informed about upcoming government updates and consultations, including the introduction of a new “recognized legitimate interest” lawful basis and mandatory complaints procedures. These developments will further shape the data protection landscape in the UK.

Conclusion

The DUAA represents a pivotal shift in UK data protection law, with significant implications for businesses. By understanding the key provisions and taking proactive steps to comply, organizations can navigate this new regulatory environment effectively.