DUAA Compliance Surge: What HR Should Know Ahead of the Deadline

Employee data sits at the heart of HR operations, which means that HR needs to always be up to date with national data laws. By now, you should be well aware of the ongoing implementation of The Data (Use and Access) Act 2025, otherwise known as the DUAA. It won’t replace current legislation (like GDPR), so it adds another layer of complexity to keeping compliant.

The good news is that, according to the government, the act is designed to “encourage innovation, help law enforcement agencies to tackle crime and allow responsible data-sharing while maintaining high data protection standards.”

Some of the deadlines are already behind us, with full implementation expected in 2026. If you’re panicking about getting ahead of the changes, there’s still time to catch up.

How DUAA compliance impacts HR functions

The act brings a number of changes that HR must be aware of. The most impactful being:

1. “Reasonable and proportionate” data access requests (SAR reform). DUAA redefines how organisations must handle Subject Access Requests (SARs). HR teams no longer need to conduct exhaustive searches — the Act introduces a “reasonable and proportionate” standard. You can now limit searches to data systems and formats that are proportionate to the request’s scope. However, HR must still demonstrate good faith effort and document why any information was excluded.

2. Cross-border data transfer simplification. DUAA introduces UK-specific adequacy mechanisms and more flexible transfer conditions for international employee data. This is especially helpful for global and remote teams.

3. Automated decision-making and AI in HR. DUAA loosens GDPR’s strict limits on automated processing, provided organisations maintain transparency and safeguards. You can now rely on automated tools more easily, but must explain how decisions are made and allow employees to challenge or request human review.

4. Data governance simplification. DUAA removes the mandatory Data Protection Officer (DPO) requirement for most companies and replaces it with a “Senior Responsible Individual” (SRI) model. HR is often the largest data handler in a business; accountability will shift toward HR leadership.

5. Expanded legitimate interest grounds and employee transparency. DUAA broadens the definition of “legitimate interest” for internal processing, such as workforce planning, performance management, or IT security monitoring. Employers have more freedom to process employee data without explicit consent, reducing administrative burden. However, this must be offset with clear justification and transparency to employees.

Compliance with the act isn’t just essential for avoiding fines and reputational damage. The act makes essential HR functions concerning employee data easier, allowing for simpler workforce planning and more streamlined decision-making.

DUAA: A timeline

Here’s a quick overview of which milestones are already behind us, and what steps you need to take next.

What’s happened so far

• June 2025: DUAA receives Royal Assent, and the law is officially passed. Some provisions (like “reasonable and proportionate” SARs) took effect immediately.

• July–August 2025: Initial commencement regulations activated governance and regulatory structure changes.

• September 2025: Additional commencement phases; early secondary legislation kicked in.

What’s coming next (and what to do about it)

• October - December 2025: ICO guidance and Codes of Conduct expected (especially around legitimate interests, international transfers, and automated decision-making).

  • Adjust legal bases for data processing. (If using legitimate interest for employee monitoring or performance tools)
  • Audit AI and automation in HR. (Hiring algorithms, performance scoring)
  • Update cross-border data transfer mechanisms for global or remote-first teams

• December 2025: Approximately six months post–Royal Assent, the most substantive DUAA obligations will likely be in force.

  • Conduct a formal DUAA compliance audit (HR-specific DPIA)
  • Refresh employee data protection training and policy documentation
  • Ensure HRIS and payroll systems capture access logs and consent records

• January - March 2026: Enforcement powers expand; ICO restructuring and enhanced oversight.

  • Prepare for potential ICO spot checks or audit requests
  • Review and simplify data retention and “right to erasure” procedures
  • Strengthen your incident response plan for HR-related data breaches

• April - June 2026: Full DUAA implementation deadline. All provisions will be expected to be active by June 2026.

  • Complete final vendor attestations confirming DUAA compliance
  • Embed ongoing compliance into annual HR governance cycles
  • Publish updated HR privacy statement for full transparency

• Beyond June 2026: Ongoing compliance phase.

  • Schedule annual data protection reviews (DPIAs, consent audits)
  • Track regulatory updates. Future DUAA amendments may address AI and biometrics
  • Continue employee trust initiatives (transparency dashboards, access logs)

Always-on compliance with Deel

As the deadlines approached, Google searches for ‘data use access act’ spiked 16,000%. All HR professionals know what that last-minute panic feels like. This is one of the many reasons we built Deel – to make compliance easier to manage, without the stress.

Whether you’re headquartered in the UK, have a UK entity, or hire UK staff with an EOR, everything you do with Deel has compliance built in. That includes fully localised contracts, automated tax filings, and data security safeguards.

Book your 30-minute demo to see what headache-free compliance looks like.