Jessica O'ConnorGoogle searches for the UK’s new Data Use and Access Act (DUAA) surged in June, the month the legislation became law, according to compliance provider VinciWorks.
The spike reflects growing concern among employers about how the reforms will affect departments handling personal data across the workforce.
The DUAA, which came into force on 19th June 2025, revises existing GDPR and PECR rules by tightening requirements on data subject access requests (DSARs), introducing tougher penalties for marketing breaches, and setting updated safeguards for automated decision-making.
It also creates frameworks for digital identity and Smart Data schemes.
The next compliance milestone arrives on 20th August, when the Information Commissioner’s Office (ICO) will gain expanded investigative powers, including the ability to compel staff interviews and demand internal documentation.
Employers are being urged to update DSAR procedures in line with proportionality rules and the new ‘stop-the-clock’ mechanism, revise privacy policies and contracts to reflect lawful processing changes, and ensure record-keeping systems are ready for regulatory scrutiny.
Training must extend across all departments that process personal data, from HR and finance to marketing, operations and frontline teams.
The law sets further deadlines in the months ahead, with Smart Data and digital identity frameworks expected to be operational from December 2025, and full compliance across all DUAA provisions required by June 2026.
With data protection obligations now touching every aspect of the workplace, the reforms represent a decisive moment for employers, placing responsibility on HR leaders to prepare their organisations and staff for enforcement.
Nick Henderson-Mayo, head of compliance at VinciWorks, said: “The DUAA changes are immediate and far-reaching.
“HR leaders cannot treat this as just an IT issue; it’s an all-staff responsibility. Organisations should be implementing DUAA-compliant processes and delivering staff training now to avoid early enforcement risk.”
