The Data (Use and Access) Act 2025 (DUAA): What HR Teams Need to Know and Do Now

Despite the temptation to ”leave data to the data team”,  if HR teams think the Data (Use and Access) Act 2025 (“DUAA”) is something they can leave to others, they need to think again.  Although the DUAA is now nearing the end of its implementation phase it is probably the time that HR needs to pay most attention to ensure that systems are co-ordinated, and that they do not overlook the significant challenges that the DUAA presents for them. There are some significant changes that HR needs to be actioning now.

For HR functions (often arguably the most data-intensive part of any organisation), May 2026 is therefore not a “watching period” before the impact of the June 2026 changes —alignment should already be underway.

If you are unsure as to what should already be in place it would be sensible to conduct an audit of the requirements that should already be bedded in.  If you would like a framework DUAA audit template please click here. If you would like to discuss a full audit of ”data within HR” or your data function generally, please email [email protected]. In the meantime, if you are looking at action points for May, keep reading….

1. Data Complaints Regime

Why Now?

From 19 June 2026, employers are required to have a  formal specific data complaint-handling process for individuals to use if they believe their data protection rights have been breached.  Any HR team in receipt of a grievance or concern that references data (even loosely  “I emailed my manager and they emailed the team”), the first port of call should be to seek clarification as to whether the individual is making a “data complaint”.

This requirement for a complaints procedure does not just relate to internal data it extends to  workers, contractors, agency workers, and clients (customers).

Individuals must be informed  about their right to complain at the time their data is collected (Privacy Notices should be amended to include this information if they have not been already) and when responding to subject access requests (SARs).

The DUAA introduces a mandatory internal complaints framework, requiring organisations to

• have a clear and accessible complaints procedure that can be accessed and under which complaints can be submitted electronically (as well as by other means);

• facilitate complaints (e.g. ensure that complaints are easy to make, perhaps by using online forms);

• acknowledge complaints within 30 days; and

• take appropriate steps to investigate and respond to the complaint without undue delay.

For all complaints organisations should be keeping a record of key steps, including demonstrating that they have met their obligations within the 30-day timeframe. There are also two important points to note about the timeframe:

• The 30 days start the day after you receive the complaint (it doesn’t matter if this day falls on a weekend or a public holiday); the 30 days still start on this day.
• If the last day to acknowledge the complaint falls on a weekend or public holiday, you have until the next working day to provide an acknowledgement.

Not only will this mean more work (new processes and procedures to implement) for organisations in terms of data management, but significantly it shifts more responsibility, and therefore more risk, to organisations prior to any ICO escalation.

What HR Should Be Doing in May 2026

• Embed a formal data protection complaints process into HR procedures.
• Integrate complaints into existing grievance or employee relations frameworks.

• Ensure visibility: employees must be trained to identify a data complaint (including for their own use); and

• Define ownership of the complaint —should it be HR, DPO, or Legal?

Large Organisations – Additional Tasks

• Create a centralised complaints channel (e.g., online, create a form).

• Track complaints as a regulatory risk dataset (trend analysis, repeat issues).

• Align this with whistleblowing and ‘speaking up’ frameworks.

Smaller Organisations

• Implement a simple, documented process (email channel and acknowledgement template).

• Ensure timelines are diarised and monitored manually.

• Avoid over-processing—clarity, timely responses, and monitoring are key.

Deadline is 19 June 2026 – but don’t leave it to the last minute in case there are operational difficulties.

2. Subject Access Request (SAR) handling process

Why Now?

The DUAA codifies a more pragmatic SAR regime, introducing “reasonable and proportionate” search expectations and allowing employers to pause (“stop the clock”) where clarification is required. No doubt these practices are already followed  (under the ICO guidance); ensure that these are reflected into policies and procedures.

This is one of the few areas where the Act offers genuine operational relief to organisations already feeling the significant strain of increasing numbers of AI generated SARs, but this relief only operates if implemented correctly.

What HR Should Be Doing in May 2026

• Update all SAR procedures (and policies) to reflect:

• scoped searches (not exhaustive trawls); and
• lawful (carefully documented) use of clarification requests.

• Implement templates for clarification workflows to aid processes.
• Train HR/data teams on when to narrow scope versus respond fully; and
• Align SAR handling with litigation risk (employment disputes remain a key trigger).

Large Organisations – Additional Tasks

• Automate SAR triage: deploy case management tools to categorise SARs (disciplinary, grievance, exit-related—versus complaints). Human review is obviously required once triaged to discover any nuances or hints.

• Standardise scoping decisions across HR, Legal, and IT to avoid inconsistency; and

• Maintain audit logs evidencing proportionality decisions (always anticipate complaints and/or regulatory scrutiny).

Smaller Organisations – Additional Tasks

• Focus on clear internal processes (playbooks)—not tooling.

• Use standard response templates and escalation triggers; and

• Ensure at least one trained decision-maker validates proportionate search boundaries.

3. Lawful Basis and HR Data Use (Especially ADM and Legitimate Interests)

Why Now?

Previously, individuals had the right not to be subject to automated decision-making producing legal or similarly significant effects (with exceptions). Under the DUAA, significant and solely automated decisions (except those involving special category personal data or those based on the new “recognised legitimate interests”) are generally permitted, subject to certain safeguards, which must enable data subjects to make representations, contest the decision, and require human intervention (therefore ‘relaxing’ Article 22). This is quite a shift.

The DUAA adjusts how organisations can rely on lawful basis through:

• The introduction of “recognised legitimate interests,” reducing balancing test burdens in certain cases; and

• by expanding the scope for automated decision-making (ADM), subject to appropriate safeguards.

For HR, this directly affects recruitment screening, performance analytics, monitoring, and workforce planning. Note that significant decisions based solely on automated processes are prohibited unless an Article 22(2) condition applies, plus implement safeguards under Article 22(3) –  legitimate interests is not one of those conditions.

What HR Should Be Doing in May 2026

• Audit HR processing activities against updated lawful basis.

• Identify where reliance on legitimate interests can be simplified.

• Review any automated or semi-automated decision-making tools (e.g., CV screening, absence/conduct triggers, use of monitoring—performance).

• Update Privacy Notices to take account of the changes in processing accountability or legal basis changes.

Large Organisations – Additional Tasks

• Conduct organisation-wide data mapping review (HR systems, vendors, analytics—especially monitoring tools).

• Implement ADM governance frameworks (with safeguards factored in for human review, bias testing, and documentation); and

• Coordinate with Procurement teams on vendor compliance (check those contracts to ensure that the changes are rolled downstream, for example ‘tech stack’ scrutiny).

Smaller Organisations – Key Tasks

• Prioritise high-risk processing (recruitment tools, monitoring, disciplinary triggers).

• Document reliance on legitimate interests in a register or log; and

• Avoid deploying ADM tools without clear human oversight (safeguards).

Conclusion

The DUAA expanded the UK GDPR regime, strengthening regulatory powers (including increasing PECR fines to match GDPR levels) and increasing organisational flexibility—but at a price: increased accountability, overseen by new enhanced regulatory powers.

In most cases, organisations  are not required to reinvent the ‘data procedures wheel’—but HR teams do need to pay attention to how the changes impact what they do and the intersection between grievances and the new complaints regime.

Author