In June 2025, the UK Government introduced a new legal framework designed to address the evolving ways that personal data is accessed, used, and protected. It’s called the Data Use and Access Act 2025—or DUAA—and it’s already reshaping expectations for organisations across every sector.
This isn’t a standalone replacement for the UK General Data Protection Regulation (UK GDPR) or the Data Protection Act 2018 (DPA 2018). Rather, the DUAA works alongside these existing laws, reinforcing them with clearer rules around access, accountability, and digital transparency. It’s part of the UK Government’s ongoing effort to build trust in the use of personal data while supporting innovation and secure information sharing.
So, What Is the DUAA?
The DUAA is a legislative framework that focuses on ensuring personal data is accessed and used lawfully, proportionately, and securely. It reflects the reality that organisations today process data across cloud platforms, remote teams, mobile apps, AI tools, and interconnected systems that go far beyond traditional data storage.
According to the official government factsheet, the DUAA is about protecting people’s data while making sure organisations can still use it responsibly, for the right reasons, with the right safeguards in place.
This means:
🔹Making sure data access is limited to those who need it and can justify it
🔹Putting robust controls around how data is shared, especially with external partners or systems
🔹Being transparent about how data-driven decisions are made—especially when using automation or AI
🔹And perhaps most importantly, ensuring that everyone in an organisation—not just IT or compliance staff—knows what their role is in protecting that data
It’s a move away from viewing data protection as an isolated policy issue, and toward treating it as an integrated, people-driven responsibility.
The Key Principles of DUAA
While the Act itself includes various technical and legal elements, its most important contributions can be understood through five key principles that guide how personal data must be handled:
Lawfulness – Organisations must have clear, justifiable reasons for accessing or using personal data. Data should not be used in ways that contradict individuals’ rights under UK GDPR or DPA 2018.
Security – Access to data must be protected through appropriate controls—such as authentication, encryption, monitoring, and role-based access. Staff must also be trained to recognise threats like phishing, social engineering, and internal misuse.
Proportionality – Just because you can access data doesn’t mean you should. The DUAA reinforces the idea that data access must be proportionate to the task, and regularly reviewed.
Transparency – Individuals have the right to understand how their data is being used, especially when decisions are made using automated processes or AI. This includes clear communication around data rights and organisational practices.
Accountability – Organisations must demonstrate that they have systems, training, and safeguards in place—not just policies on paper. This includes being able to evidence staff awareness, access reviews, impact assessments, and breach response readiness.
These aren’t just ideals. Under DUAA, they’re practical expectations. And they apply across every sector—from healthcare and education to retail, finance, manufacturing, and public services.
Why DUAA Demands a Cultural Shift
Because here’s the truth: most breaches don’t happen because of complex hacking tools. They happen because of human error. And DUAA makes it clear that this is now a shared responsibility—one that sits with every organisation, large or small.
At its heart, DUAA is about moving from policy to practice. It builds on existing data protection laws but gives them more structure and, frankly, more bite. It outlines expectations for how organisations access, share, and use data, especially in environments where automation, third-party platforms, and remote working have become the norm.
DUAA calls for greater transparency in decision-making around data—especially where automated systems are involved. It expects organisations to justify not only what data they hold, but why they hold it, how it’s accessed internally, and who is responsible when things go wrong. The old model, where responsibility could be siloed to an IT department or outsourced to a consultant, no longer passes scrutiny. This Act pulls that responsibility out into the open.
It also changes the conversation around accountability. It’s no longer enough to say “we have a data policy.” Under DUAA, organisations must be able to demonstrate that staff are trained, that risks have been assessed, and that those assessments are acted upon in practice—not just written down and filed away.
Where the Real Risk Lies: People, Not Just Systems
We spend a lot of time talking about cyberattacks, ransomware, and technical vulnerabilities. But ask anyone who’s worked in cybersecurity for more than a week and they’ll tell you: the most common cause of a data breach isn’t the technology. It’s the people using it.
Whether it’s someone accidentally emailing sensitive data to the wrong person, clicking on a phishing link, or using a weak password, human error continues to be the most common—and most preventable—threat to information security. That’s what makes DUAA so significant. It acknowledges that no amount of paperwork will prevent an employee from making a mistake unless that employee knows how to spot a risk, understands their role in protecting data, and feels confident enough to act.
And yet, so much of the existing training out there doesn’t work. It’s often dull, irrelevant, or designed to satisfy a compliance requirement rather than actually change behaviour. DUAA puts pressure on businesses to do better. It raises the standard by focusing on what organisations can demonstrate—not just what they claim.
This means the days of once-a-year e-learning modules with a five-question quiz at the end are numbered. If your training doesn’t change how your team behaves, it won’t hold up under scrutiny. Regulators will expect to see real-world awareness and an ability to respond to common data risks—especially those caused by human actions.
DUAA and the Changing Landscape of Work
In 2018, when the UK GDPR first came into play, remote work was relatively niche. Most teams worked from shared offices. IT departments had more control over devices, networks, and access. Fast forward to 2025, and the way we work has fundamentally changed.
Remote and hybrid teams are now commonplace. We jump between cloud platforms, shared drives, mobile apps, and smart devices without blinking. Many businesses have freelancers, contractors, or distributed teams using personal devices for professional tasks. All of this has blurred the lines between personal and professional data use.
DUAA is very much a response to this new reality.
It acknowledges that data doesn’t live in filing cabinets or even just company servers anymore. It lives on smartphones, in home offices, and across digital ecosystems where access controls are inconsistent and risk awareness varies wildly.
This makes your frontline staff—your receptionists, marketing teams, customer service reps, even junior interns—the gatekeepers of data security. And unless they’re properly trained, they won’t always spot the risks.
With DUAA in place, organisations must now account for how their teams use data in these everyday scenarios. It’s not just about securing the tech—it’s about ensuring the people using the tech know how to do so safely.
Legal Expectations, Real-World Outcomes
It’s worth pausing to consider what DUAA is actually asking of businesses.
It’s not creating a new set of technical standards or demanding sweeping system overhauls. What it does demand is that organisations have a clear, demonstrable process for managing data access, usage, and security. That includes having an up-to-date data protection impact assessment, training records, incident response plans, and regular reviews of access permissions.
But more than that, it demands cultural change.
Compliance isn’t just a legal box to tick anymore—it’s an operational risk. DUAA makes that explicit. The cost of failing to meet expectations isn’t just reputational damage or regulatory fines—it’s the erosion of trust, both internally and externally.
If your customers lose confidence in how you handle their data, they’ll leave. If your employees don’t feel supported or educated around data responsibilities, mistakes will happen. And if regulators come knocking, they’ll want more than good intentions. They’ll want proof.
Proof that your team knows what phishing looks like. Proof that access to sensitive data is reviewed regularly. Proof that training is ongoing, not ad hoc. That’s what accountability looks like in 2025.
The Role of Training Under DUAA
Among the most significant implications of the DUAA is its emphasis on people—their behaviours, decisions, and day-to-day handling of personal data. According to the official government factsheet, organisations must ensure data is accessed and used “responsibly, for the right reasons, with the right safeguards in place.” One of the most effective safeguards isn’t a firewall or encryption—it’s education.
Cybersecurity training, then, is no longer a nice-to-have. It is a compliance expectation. But the quality and design of that training is everything. DUAA doesn’t just imply that employees should know the rules—it expects businesses to demonstrate that individuals understand the risks, can apply good judgement, and are equipped to act responsibly in real-world situations. Training that fails to achieve this is training that fails to meet the spirit of the law.
This is where many organisations fall short. Generic e-learning modules, infrequent refresher courses, or one-size-fits-all awareness sessions often do little more than check a box. They rarely shift behaviour. In contrast, DUAA calls for training that is proportionate, relevant, and continuous—aligned to the real roles, risks, and responsibilities of your team.
For example, a frontline support agent needs to recognise a suspicious customer request. A marketing executive needs to understand consent. A line manager needs to know how to escalate a breach. Each of these scenarios requires different training content—and a delivery method that engages, not overwhelms.
At Cyber Rebels, we believe training should not only be informative but transformative. That means using live, scenario-based learning, adapted to industry-specific threats, and designed to build practical confidence—not just theoretical awareness. It means creating a culture where secure habits are normalised, not memorised.
Ultimately, the DUAA makes one thing clear: you can’t outsource responsibility for human behaviour. But you can equip your people to get it right. And that starts with training that works.
Why DUAA Is Also a Strategic Opportunity
While DUAA introduces legal pressure, it also creates a strategic advantage for businesses that invest in doing it properly.
In a climate of rising cybercrime, growing mistrust of data handling, and increasing consumer scrutiny, being able to demonstrate a proactive stance on data protection isn’t just reassuring—it’s commercially valuable. It sets you apart from competitors who are still relying on outdated policies or tick-box compliance. When customers know you take their data seriously, you earn more than their business—you earn their trust.
Think of it this way: would you partner with a supplier who couldn’t explain how they protect sensitive information? Would you continue using a service if the staff didn’t understand the basics of privacy, consent, or breach response? Probably not. Your clients feel the same. That’s why embedding DUAA principles into your training, systems, and culture is more than a regulatory exercise—it’s a long-term investment in your brand reputation and resilience.
Effective training transforms that investment into daily value. It reduces the risk of costly breaches, enables faster responses to incidents, and creates a security-minded workforce that actively prevents mistakes before they happen. And as new data regulations emerge—which they will—you won’t be scrambling to react. You’ll already have the muscle memory and cultural foundation to adapt with ease.
In short: getting DUAA right isn’t just a cost of doing business. It’s a strategic move that pays dividends in trust, compliance, and confidence—for your people and your customers.
Where Do You Start?
If this all feels overwhelming, you’re not alone. Many organisations are still catching up on GDPR, let alone adapting to a new framework like DUAA. The scope can feel wide—and the stakes are high.
But the good news is, you don’t need to tackle everything at once. The most important place to start is with your people.
Begin by reviewing your current training provision. Ask whether it genuinely prepares staff to meet the expectations of DUAA—not just in terms of content, but in terms of understanding, confidence, and response. Are your teams equipped to recognise and report threats? Can they apply your policies in everyday decisions? If you’re unsure, it’s worth getting an external perspective.
That’s where support from a specialist partner can make all the difference. At Cyber Rebels, we work with organisations across sectors to bridge the gap between policy and practice. We help businesses interpret complex legal frameworks like DUAA and translate them into practical, human-first training that sticks. Our programmes are designed to align with your actual risks and workflows—not just generic guidance.
Alongside training, look at your internal processes. Are access permissions reviewed regularly? Do people know how to escalate a data concern? Has anyone actually run a phishing simulation recently? These are the kinds of simple, practical checks that regulators increasingly expect—and that help build a resilient data culture.
Then, make a plan. Focus on awareness first. Build knowledge, then reinforce it. And over time, embed better security habits across your teams.
DUAA isn’t about perfection—it’s about intention and progression. Regulators don’t expect you to have everything flawless overnight. But they do expect to see that you’re making real, demonstrable efforts to improve. And that starts with a team that understands what’s at stake, and has the skills to act.
Final Thoughts
The Data Use and Access Act 2025 is not just a regulatory update—it’s a call to action for organisations to rethink how they approach data protection. DUAA makes it clear that legal compliance is no longer enough. Businesses must demonstrate that the people behind the systems—staff, contractors, partners—are equipped to make safe, informed decisions with data.
This shift brings both pressure and potential. Yes, there’s greater scrutiny. Yes, organisations must show real-world application, not just policies on paper. But those who embrace this change now stand to gain a serious competitive advantage.
By embedding the principles of DUAA—lawfulness, proportionality, security, transparency, and accountability—into your day-to-day operations, you not only meet legal expectations, you also build internal confidence and external trust. You reduce risk, strengthen resilience, and demonstrate that you take data responsibility seriously.
And this isn’t just a compliance box to tick. It’s a brand decision. Your clients, partners, and employees want to know that their information is safe in your hands. DUAA gives you a framework to prove that—not just through paperwork, but through action.
That’s where Cyber Rebels comes in.
We specialise in turning legal requirements into living, breathing practice. Through our tailored cybersecurity awareness training, we help businesses of all sizes build a culture where security isn’t an afterthought—it’s second nature. Our live, interactive sessions are built around your people, your risks, and your industry—making the expectations of DUAA not just understandable, but achievable.
To recap:
🔹DUAA strengthens UK GDPR and DPA 2018, placing emphasis on human accountability.
🔹It expects real-world application—not just policies but proof.
🔹It highlights the need for ongoing, practical, behaviour-changing training.
🔹It offers a chance to lead, differentiate, and build trust through meaningful compliance.
So the question is: will you wait for a breach, or lead with confidence?
If you’re ready to make data protection part of your culture—not just your compliance strategy—Cyber Rebels is here to help.
Let’s turn policy into practice. Let’s build the habits that compliance demands. Let’s make security human again.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
