Meeting the Data Use and Access Act with Confidence: Why the ISO 27001, 27701 and 42001 Loop Delivers

By Rebecca Harper • 7 April 2026 • 8 min read

When the UK introduced the Data Use and Access Act (DUAA), much of the early commentary focused on the divergence it introduced. Was this a softening of the UK’s data protection regime? A deliberate departure from Brussels? A pro-growth recalibration? But all of this framing misses the more consequential shift.

The DUAA does not dilute accountability. It redistributes it, turning prescriptive interpretation into governance that can be clearly demonstrated. In refining recognised legitimate interests, recalibrating subject access rights, adjusting automated decision-making provisions and strengthening enforcement under PECR, the Act reduces rigidity in certain areas while also increasing the expectation that organisations can justify how they exercise discretion.

One thing that is absolutely clear is that the regulatory burden has not disappeared. It has, in fact, become more structural. The organisations that will navigate the DUAA successfully are not those that update policies fastest. It will be those who can evidence how decisions are made, reviewed and improved over time, and do that consistently.

Proportionality Under the DUAA is Not Leniency; it is Discipline

One of the central themes of the DUAA is proportionality. It moves that recognised legitimate interests may be relied upon without a full balancing test in defined scenarios. Subject access requests can be refused or moderated where they are “vexatious or excessive”. And, automated decision-making rules have been refined.

But proportionality is not a lowering of the bar. For example, where an organisation relies on recognised legitimate interests, the regulator will still expect to see:

Clear identification of the processing purpose

Risk analysis reflecting the impact on individuals

Consideration of safeguards

Documentation of decision-making

Evidence of consistent application

Similarly, the reforms to Data Subject Access Request (DSAR) handling do not create discretion in isolation. They require structured criteria for assessing excessiveness, defined escalation routes and documented rationale. In practice, this moves the compliance burden away from formulaic tests and towards demonstrable governance maturity.

I think it’s also worth mentioning that the ICO’s enforcement trend in recent times has already reflected this shift. Investigations increasingly examine systemic control failures, inadequate oversight, and insufficient documentation, rather than merely whether a specific clause was technically breached. In that sense, the DUAA accelerates this shift in focus.

The Act Exposes Fragmented Governance

At a really fundamental level, the DUAA cuts across information security, privacy operations, marketing compliance, AI governance, and international data transfer functions.

In many organisations, these domains remain structurally separated.

Security may operate under a technical risk framework. Privacy may be policy-led and legal-centric. Marketing may be commercially driven. AI deployment may sit within innovation or product teams. Supplier governance may be procurement-led. The DUAA does not respect those internal boundaries.

An AI-driven marketing tool deployed through a US-based processor, for example, may simultaneously engage:

Security of processing obligations

Lawful basis assessments

Automated decision-making safeguards

PECR marketing rules

International transfer risk management

If each element is governed differently and inconsistently documented, an organisation’s ability to defend decision-making is weakened. To be clear, the Act does not explicitly mandate integration. But its practical effect makes fragmented governance harder to sustain. This is why it’s clear to most that in this environment, management systems matter.

Why International Standards Become Strategic in a Domestic Reform

While the DUAA amends the UK GDPR and PECR alone, UK businesses remain exposed to EU GDPR, sectoral regulation, and emerging AI legislation when they trade internationally.

In that context, international standards serve two critical functions:

They create a common governance language across legal, technical and executive teams.

They provide an auditable proxy for structured risk management in the absence of prescriptive statutory detail.

So, it certainly stands to reason that whilst the integrated application of ISO 27001, ISO 27701 and ISO 42001 does not replace regulatory compliance, it does operationalise it.

Where the DUAA expects proportionate risk assessment, these standards define how risk is identified, evaluated, treated and reviewed. Where the Act strengthens enforcement, they embed auditability and corrective action. Together, they move governance from reactive interpretation to structured, proactive control.

ISO 27001: Turning Accountability into Something Tangible

ISO 27001, the information security standard, provides a framework for achieving clarity. It requires organisations to build an Information Security Management System around:

Understanding their context and defining the scope properly

A formal, defensible risk assessment methodology

Clear risk treatment planning

Documented control decisions

Internal audit and management review

Continuous improvement

On paper, that sounds procedural. In practice, it answers a far more uncomfortable question: who owns the risk, and how do we know?

And, under the DUAA, that question becomes sharper.

Security of Processing

The requirement to implement “appropriate technical and organisational measures” hasn’t disappeared. But “appropriate” can’t mean “what felt reasonable at the time.”

ISO 27001 requires organisations to define what is appropriate for their business, based on documented risk analysis, not subjective judgement or historical habit.

Incident Response and Breach Management

Regulators are no longer focused solely on whether a breach occurred. They’re looking at how prepared the organisation was.

Was the response tested?

Was it documented?

Did leadership understand their role?

A structured, rehearsed incident process demonstrates control. An improvised one demonstrates exposure.

Enforcement and Auditability

With stronger PECR enforcement powers and evolving scrutiny, governance has to be visible. Regular internal audits and management reviews show that compliance isn’t static. It’s being actively monitored and challenged. That matters when regulators are deciding whether an issue reflects bad luck or weak oversight.

And this is where ISO 27001 goes beyond operational hygiene.

It embeds leadership accountability. Under the DUAA, governance failures won’t be treated as technical oversights. It will be seen as an organisational one.

ISO 27701: Making Privacy Reform Operational

If ISO 27001 creates structural accountability, ISO 27701 translates privacy into daily practice. It extends the security management system into a Privacy Information Management System, aligning privacy obligations with the same risk, documentation and oversight structure. That alignment is critical under DUAA reform.

Recognised Legitimate Interests

Even where a formal balancing test isn’t required, organisations still need to show they’ve thought carefully about purpose, proportionality and safeguards.

ISO 27701 formalises how lawful bases are identified, recorded and reviewed. It removes ambiguity from decisions that might otherwise be made informally.

DSAR Reform

Moderating or refusing subject access requests requires judgment, and judgment requires guardrails.

ISO 27701 sets out defined procedures, escalation paths and documentation requirements. That turns discretion into a defensible process.

International Transfers

Transfer risk assessments, processor oversight and contractual safeguards don’t sit neatly within legal alone.

ISO 27701 integrates them into supplier governance and operational workflows, reducing fragmentation between legal, procurement and security teams.

Transparency and Accountability

Privacy notices and records of processing aren’t one-off updates. They become part of a living management system.

In effect, ISO 27701 embeds the discipline required to use DUAA flexibility responsibly, without drifting into inconsistency.

ISO 42001: Governing AI Without Treating it as an Experiment

As I briefly touched on earlier, the DUAA also updates automated decision-making rules. In some contexts, it increases flexibility. But flexibility without oversight rarely ends well. ISO 42001 introduces an AI Management System built on:

AI-specific risk assessments integrated into enterprise risk

Defined human oversight

Clear documentation of system purpose, data inputs and decision logic

Transparency controls

Ongoing monitoring and improvement

As AI expands across sectors, regulators won’t just ask whether systems function technically. They will ask whether organisations can demonstrate meaningful oversight. ISO 42001 answers that question by embedding AI governance into existing security and privacy systems, rather than treating it as an innovation side project.

The Integrated Advantage: One Risk Model, One Evidence Base

The strategic power of the loop lies in integration. Together, ISO 27001, 27701 and 42001 create:

A unified risk methodology across security, privacy and AI

Consistent documentation standards

Shared leadership oversight

A consolidated internal audit cycle

A single corrective action framework

This matters because the DUAA does not introduce isolated obligations. It introduces discretion across these interconnected domains.

An integrated management system reduces duplication, prevents inconsistent decision-making and ensures proportionality is applied through structured analysis rather than informal judgement. For organisations, it means that when regulators request evidence, and they increasingly do, companies operating this loop can provide well-documented risk assessments, treatment decisions, oversight records and review outcomes in a coherent narrative. And that is often the difference between scrutiny and sanction.

From Compliance to Organisational Resilience

The DUAA will not be the last reform of UK data law. Guidance will evolve. Enforcement posture will mature. AI oversight will intensify. Cross-border complexities will persist. Organisations that treat each development as a discrete legal adjustment will continue to incur repeated operational disruption.

Those operating integrated management systems will absorb change incrementally. Risk registers will be updated. Controls refined. Oversight recalibrated. Evidence retained. The difference is structural.

The DUAA signals a regulatory environment defined less by prescriptive instruction and more by expectation of disciplined judgment. In that environment, governance maturity becomes a competitive advantage. The ISO 27001, 27701 and 42001 loop does not simplify regulation. It makes it manageable.