UK firms unprepared for DUAA as staff training tops concerns

A survey of UK compliance professionals has revealed significant gaps in organisational readiness for the forthcoming Data Use and Access Act (DUAA), with staff training emerging as the leading compliance challenge.

The research, conducted by compliance training and software provider VinciWorks, surveyed 373 compliance professionals across the UK to assess preparedness for the DUAA, which is set to replace key aspects of the UK GDPR in 2025. Findings indicate that only 1.6% of organisations report being fully ready for the new legislation.

Nearly three-quarters of respondents (77%) admitted they are either not prepared, unsure, or just starting to prepare for the DUAA. The survey also highlights that almost half (47%) of organisations regard updating governance, training, and vendor management as their biggest hurdle in achieving compliance.

Training and human error

Staff training has emerged as the most immediate priority for many organisations, with 39% of respondents stating that training employees across the business is their top compliance focus for the next six months. The findings also show that human error and mistakes are considered the most significant data protection risk by 56% of respondents, considerably outweighing concerns around phishing, which was cited by 12%.

The report suggests that the lack of awareness and education on the DUAA could leave well-meaning employees at risk of inadvertently causing data protection breaches. The emphasis on staff training indicates a recognition that technology solutions alone are not enough to ensure compliance under the new requirements.

Sector perspectives

The survey reveals industry-specific trends, with legal and financial services identified as being among the least prepared sectors, where fewer than one in twenty organisations are compliant with the upcoming DUAA. In the education sector, there is increased awareness of the Act, but also high levels of uncertainty, with 30% of respondents not sure how to assess their organisation's readiness.

Nick Henderson-Mayo, Head of Compliance at VinciWorks, said: "Most cyber compliance failures start with human error, and our research shows that awareness is the missing piece, not technology. Organisations can't rely on IT systems alone; they need to build a culture of understanding and accountability across every team."

Henderson-Mayo further commented: "The organisations investing in better training and awareness throughout the employee lifecycle will be the ones who avoid fines, and build lasting trust with clients and regulators."

Key DUAA implications

The Data Use and Access Act is intended to update and tighten regulations around data access, breach reporting, and privacy governance for UK businesses. Among its provisions are new requirements for transparency, greater cooperation with regulators, and a mandate for organisations to report data breaches within 72 hours.

The research indicates that without clear governance frameworks and robust, cross-departmental training, many organisations could fall short of the legal requirements when enforcement commences. The report notes that governance and training failures represent greater risks to compliance than technical issues or vulnerabilities.

These findings highlight the scale of the challenge facing UK firms as they prepare for a major shift in data protection law. The emphasis among compliance professionals on addressing staff training and human error reflects the critical role of internal policy and education in managing regulatory obligations and avoiding non-compliance under the new regime.