Data Use and Access Act — The Complete Guide for UK Businesses
The Data Use and Access Act is the UK government’s post-Brexit data protection reform. It replaces core elements of UK GDPR with new provisions designed to give the UK regulatory flexibility while maintaining baseline data protection standards. Phase 3 of the implementation comes into force in June 2026, and it tightens requirements for data processors, strengthens data subject access rights, and introduces new cross-border data flow rules.
If you’ve been treating GDPR as “set it and forget it,” DUAA Phase 3 will force you to revisit your data practices. The changes affect how you handle personal data, what obligations you owe to your data processors and customers, and how you respond to data subject requests. For most businesses, the compliance work is moderate — but it must happen before June.
What Changed: DUAA Phase 3
The Data Use and Access Act has been rolling out in phases:
- Phase 1 (April 2024): Simplified consent rules for marketing, new processing restrictions
- Phase 2 (October 2024): Sector-specific exemptions for research, health, and education
- Phase 3 (June 2026): Data processor accountability, cross-border data flows, strengthened access rights
Phase 3 is the most operationally significant for SMEs. Three headline changes:
1. Data Processor Accountability Standards
Under Phase 3, data processors (third parties who handle data on your behalf) face new explicit accountability standards. If you use cloud services, email providers, CRM platforms, or any software that processes customer or employee data, that vendor is your data processor. You must now ensure that your processor has documented compliance measures, can demonstrate data security, and can provide you with evidence of compliance on request.
This doesn’t change your fundamental responsibility (the data controller is always liable), but it gives you clearer grounds to hold processors accountable. If a processor has a data breach and can’t demonstrate reasonable security measures, you have stronger contractual grounds to claim damages and can argue that the processor’s failure, not yours, caused the breach.
Practical impact: You need to audit your processor agreements and ensure they include explicit commitments to DUAA Phase 3 standards. Many SaaS providers are updating their Data Processing Addendums (DPAs) now. Check yours before June.
2. Cross-Border Data Flow Mechanism
DUAA Phase 3 introduces a new mechanism for transferring personal data outside the UK. Under UK GDPR, you needed an “adequacy decision” or “standard contractual clauses.” DUAA Phase 3 replaces this with a new “UK transfer mechanism” that simplifies the process of moving data to approved jurisdictions (US, EU, and others). The mechanism also introduces a “UK transfer impact assessment” that you must complete for any transfer.
This is broadly more permissive than UK GDPR was — the Bar for transfer is slightly lower and the process is faster. But you still must document your transfers and conduct the impact assessment. The impact on SMEs is minimal if you’re using cloud providers with existing adequacy mechanisms (most US cloud providers like AWS, Google, Microsoft are approved). The work increases if you’re transferring data to smaller jurisdictions or handling particularly sensitive data.
Practical impact: If you use cloud services with data centres in the US or EU, you’re likely fine — your provider’s existing transfer mechanism will be updated. If you’re using smaller or newer providers, check whether they have a DUAA Phase 3-compliant transfer mechanism before June.
3. Strengthened Data Subject Access Rights
Data subjects now have explicit rights to access data in “commonly used formats” and to obtain structured copies suitable for moving to another controller (the “right to portability” is strengthened). The ICO has also clarified timelines: access requests must be fulfilled within 30 days as standard, with limited grounds for extension.
This doesn’t change the fundamental obligation (you already had a 30-day requirement), but Phase 3 adds practical teeth. If you can’t provide data in a structured, portable format, you’re now in breach even if you technically provided the data in a readable form.
Practical impact: Review your data access processes. If you’re responding to Subject Access Requests by sending CSV exports or PDF reports, you’re fine. If you’re sending paper printouts or data in proprietary formats, you need to update your process.
Who’s Affected
Every UK business that processes personal data:
- Employee data: All employers process employee personal data (names, addresses, bank details for payroll, performance records). Phase 3 affects how you handle this data and what you must demonstrate to your processors.
- Customer data: Businesses with customer lists, email addresses, or purchase history are processing personal data. DUAA Phase 3 applies.
- Website analytics: If you use Google Analytics or similar tools, you’re processing personal data (IP addresses, device identifiers, browsing behaviour). Your analytics provider is your data processor.
- CRM and email tools: HubSpot, Mailchimp, Klaviyo, and similar platforms process personal data on your behalf. Your agreement with them must reflect Phase 3 standards.
The change is most significant for businesses that process large volumes of personal data, have complex data processor relationships, or transfer data internationally.
What This Means in Practice
For HR and Employee Data
Your employment contracts probably already reference GDPR privacy notices. Phase 3 requires you to ensure your payroll provider, HR system, and any other processor has documented accountability standards. If you’re using an off-the-shelf HR platform, check whether their DPA has been updated for DUAA Phase 3. If it hasn’t by June, push them to update it.
For Customer Data and CRM
Your CRM provider, email marketing platform, and customer database are all data processors. Your contracts with them need explicit DUAA Phase 3 compliance language. Most major vendors (HubSpot, Pipedrive, Salesforce) are updating their DPAs now. Check yours in the next month and confirm they’re DUAA Phase 3-ready.
For Website Analytics and Tracking
If you use Google Analytics, Hotjar, or similar tools on your website, those vendors are data processors. The transfer of analytics data outside the UK is covered by the new UK transfer mechanism. As long as you’re using a major provider with an existing adequacy mechanism, you’re fine. Smaller analytics tools may need to update their transfer documentation.
For Data Subject Requests
If you receive Subject Access Requests, your response process needs to deliver data in structured, commonly used formats. Most businesses do this already (Excel, CSV, PDF), so this is probably not a change. But if you have custom systems that can’t export data easily, now is the time to address it.
What to Do Now
1. Audit Your Data Processor Agreements
Identify all third parties that handle personal data on your behalf: payroll providers, CRM platforms, email tools, cloud storage, HR systems, analytics platforms, backup services. For each, retrieve the Data Processing Addendum or processor terms. Check whether they reference DUAA Phase 3 compliance (they’ll use language like “accountable processor standards” or “demonstrated compliance measures”). If not, contact the vendor and request a DUAA Phase 3-compliant DPA.
2. Review Your Data Transfers
If you transfer data outside the UK (to cloud providers in the US, to vendors with international operations, or to subsidiaries), document the transfer and the mechanism. Most major cloud providers (AWS, Google, Microsoft, Salesforce) have already updated their transfer mechanisms. Check your vendor’s latest DPA to confirm.
3. Update Your Privacy Notices
Your employee and customer privacy notices already mention data processors and explain how data is used. DUAA Phase 3 doesn’t require you to rewrite these, but you should ensure they accurately reflect your current data practices. If you’ve added new tools or changed vendors since you last updated your privacy notice, now is the time to revise.
4. Test Your Data Subject Access Process
If you receive Subject Access Requests, test your process. Can you export all data relating to an individual from your systems in a structured format? Can you deliver it within 30 days? If not, identify the gaps and fix them now.
5. Align Your AI Tools
If you use AI tools for marketing, customer service, hiring, or business analytics, the EU AI Act creates additional data handling requirements. DUAA Phase 3 data processor standards should be part of your AI compliance assessment. Document your AI tools and confirm your vendors have appropriate data handling commitments.
What to Watch Next
The next phase of DUAA implementation isn’t confirmed yet, but the government has indicated Phase 4 may include further simplifications to consent requirements and potential additional sectoral exemptions. Monitor ICO updates and GOV.UK guidance for announcements. The ICO is also preparing detailed guidance on Phase 3 — watch for that publication closer to June.
If you have cross-border operations (UK customers in the EU, subsidiary in another country, or international customers), monitor the adequacy mechanism for your destination jurisdictions. The UK is negotiating new adequacy decisions with countries like Canada and Australia. These will be relevant if you expand internationally.
For compliance screening across your data handling practices, Bartram Web audits your website’s data practices (privacy policy, cookie consent, data security). For a more comprehensive review of your data protection posture across HR, customer data, and vendor management, Bartram HR can help. And if you’re using AI tools, Bartram AI maps your AI systems against the EU AI Act requirements, which intersect with DUAA data handling obligations.
The June 2026 deadline is manageable — most of the work is vendor coordination, not internal system rebuilding. Start conversations with your processors now, and you’ll be compliant well before the deadline.