Google Searches Explode for DUAA as Compliance Leaders Confront Biggest Data Law Shift Since GDPR

Google search data analyzed by data and compliance eLearning and software provider VinciWorks has revealed a staggering 16,000% surge in searches for “Data Use and Access Act” in June 2025, the month the legislation received Royal Assent on 19 June.

By comparison, searches for “Data Use and Access Bill” rose by just 175% between October 2024 and June 2025. This spike highlights how seriously UK organizations are taking the changes to data protection law.

The Data (Use and Access) Act 2025 (DUAA) represents one of the most substantial overhauls to UK data governance since GDPR, updating both the UK GDPR regulations and the Privacy and Electronic Communications Regulations (PECR).

For compliance leaders, the changes span digital identity frameworks, Smart Data schemes, expanded legitimate interest grounds for processing, and revised automated decision-making rules—all of which will require updated systems, revised processes, and organization-wide training.

The next critical compliance deadline is 20 August 2025, when the Information Commissioner’s Office (ICO) gains considerably more investigative powers, including the right to compel interviews, demand records, and impose penalties for non-cooperation.

“The DUAA is more than a policy update, it’s a structural shift in how UK organizations manage and share data,” said Nick Henderson-Mayo, Head of Compliance at VinciWorks. “For compliance leaders, this means reassessing security frameworks, ensuring data mapping is accurate, and delivering cross-departmental training. While this legislation will be rolled out over the next 12 months, organizations should be implementing DUAA-compliant processes and delivering staff training now.”

Immediate Priorities for Compliance and Data Leaders

• Update DSAR processes: Ensure proportionality tests are applied and use the new “stop-the-clock” mechanism for unclear requests.
• Audit systems for Smart Data readiness: Particularly in regulated sectors such as finance, telecoms, and energy.
• Review cookie and marketing practices: Fines under PECR now match GDPR levels (£17.5m or 4% of global turnover).
• Align AI governance: New rules narrow ADM restrictions to special category data, potentially deregulating many AI tools but increasing scrutiny.
• Deliver organization-wide training: Not just for compliance and IT, but also operations, marketing, HR, legal, finance, customer service, and procurement teams.

Implementation Timeline Snapshot

• Now: Review DSAR procedures; launch DUAA/UK GDPR training for all relevant staff.
• 20 August 2025: Prepare for expanded ICO investigative powers.
• By December 2025: Implement Smart Data and digital identity readiness.
• By June 2026: Full compliance across all DUAA provisions.

The DUAA signals the UK’s shift toward a more innovation-focused, independent data protection regime, but one with sharper enforcement tools. For compliance and tech teams, the message is clear: the clock is ticking.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.