For years, conversations about data regulation in the UK have largely centred around the same framework. GDPR reshaped how organisations collect and protect personal data, the Data Protection Act reinforced those obligations, and security leaders built governance structures to ensure compliance across their organisations.
Many CISOs have spent the past decade refining policies, training employees and implementing controls designed to meet those standards.
But regulation never stands still.
The Data (Use and Access) Act 2025 (DUAA) represents one of the most significant developments in the UK’s data governance landscape since GDPR first came into force. While the Act doesn’t replace existing regulation, it introduces new expectations around how organisations access, share, govern and use data in increasingly complex digital environments.
For CISOs, this matters because many of the changes sit directly at the intersection of cybersecurity, governance, and human behaviour. The Act introduces evolving expectations around AI usage, internal data access, regulatory oversight and organisational accountability. These are all areas where security leaders already carry significant responsibility.
As organisations continue interpreting what the legislation means in practice during 2026, one thing is becoming increasingly clear. Compliance will depend just as much on people, processes and culture as it does on technology.
Why The Data (Use And Access) Act Matters Now
Although the Act was passed in 2025, many organisations are only now starting to fully understand its practical implications.
The legislation aims to modernise how data can be accessed and used across the UK economy. In simple terms, it encourages organisations to make better use of data while still maintaining strong protections for individuals and sensitive information.
That balance creates new challenges for CISOs.
Organisations are being encouraged to unlock value from data, collaborate across teams, and explore emerging technologies such as artificial intelligence. At the same time, they remain responsible for protecting sensitive information, ensuring appropriate access controls, and demonstrating compliance when regulators ask questions.
Security leaders are therefore navigating a more complex environment where data enablement and data protection must exist side by side.
Getting that balance right requires clear governance, strong internal processes, and a workforce that understands its responsibilities when handling organisational data.
Greater Focus on Data Governance and Accountability
One of the most important themes within the Act is a stronger emphasis on structured data governance.
Most organisations already have policies covering data classification, access management and retention. However, the DUAA reinforces the expectation that organisations should have a clear and auditable understanding of how data flows through the business.
This includes questions such as who has access to specific datasets, why that access is required, and how sensitive information is shared internally or externally.
For CISOs, this shift increases the importance of visibility and oversight. Security teams are no longer focused solely on external threats. They also need confidence that legitimate internal access is being used appropriately.
This is where human behaviour becomes critical. Even the most robust technical controls cannot fully prevent accidental data exposure or inappropriate sharing if employees are unaware of the risks or unclear about the rules.
Clear communication, regular training and well-defined processes therefore become essential parts of effective data governance.
New Considerations Around AI and Data Use
Another evolving aspect of the Act is its relevance to AI and automated decision-making.
Organisations are increasingly experimenting with AI tools that rely on large volumes of data. From internal productivity tools to customer-facing services, AI is rapidly becoming part of everyday business operations.
The DUAA reinforces the need for organisations to understand how data is being used within these systems and whether the use of that data aligns with governance and regulatory requirements.
For CISOs, this introduces new oversight challenges. Security leaders need visibility into how emerging technologies interact with organisational data, particularly when those tools are adopted quickly or without central governance.
AI can deliver enormous benefits, but it also raises important questions around transparency, access permissions and responsible data use. Ensuring employees understand the risks and boundaries around data usage becomes an important part of managing that risk.
Increased Regulatory Scrutiny and Enforcement
As with many regulatory changes, the real impact of the Act will likely be seen through enforcement and oversight.
Regulators are expected to place increasing emphasis on organisations being able to demonstrate that they have appropriate governance, controls and processes in place. Documentation, training records and clear internal policies all become part of that story.
For CISOs, this reinforces a familiar challenge. Compliance is not only about having the right tools or policies on paper. It requires evidence that employees understand those policies and apply them consistently in their day-to-day work.
Security awareness programmes play an important role in helping organisations demonstrate that data governance is embedded into organisational culture rather than existing only in documentation.
The Human Element of Data Compliance
Many of the requirements associated with the Data (Use and Access) Act ultimately come back to people.
Employees access systems, share information, collaborate across departments and adopt new technologies. These everyday actions can either strengthen or weaken an organisation’s ability to manage data responsibly.
That’s why CISOs are increasingly focusing on building a culture where employees understand the value of data and the risks associated with mishandling it.
When employees know how to identify sensitive information, understand the boundaries around data access, and feel confident about reporting potential issues, organisations are far better positioned to meet evolving regulatory expectations.
Creating that culture requires consistent messaging, engaging training and practical guidance that makes data protection part of everyday decision-making.
How MetaCompliance Can Help
Navigating evolving legislation like the Data (Use and Access) Act 2025 requires more than simply updating policies. Organisations need practical ways to educate employees, reinforce expectations and demonstrate compliance.
MetaCompliance supports organisations by helping them build structured, measurable awareness programmes that embed data protection responsibilities into everyday behaviour.
Our education library includes dedicated courses covering the key areas organisations need to understand under the Act, from an introduction to the legislation itself through to its impact on GDPR, marketing communications, regulatory engagement and complaint handling. The content is designed to give leadership teams and employees a clear, practical understanding of how the changes affect their day-to-day responsibilities.
These modules help leadership teams and employees understand how the legislation affects their responsibilities, from governance and regulatory engagement to practical data handling processes.
Alongside learning, MetaCompliance provides the tools organisations need to manage policies, track employee understanding and maintain clear records that demonstrate compliance.
As data regulation continues to evolve, the organisations that succeed will be those that combine strong governance, effective technology and a workforce that understands its role in protecting data.
For CISOs, building that culture is quickly becoming one of the most important parts of managing cyber and regulatory risk.
To find out more, get in touch with our team today.