InsightsLegislation
Legislation4 May 2026

The DUAA mistake therapists are making right now

With a few weeks until DUAA 2025 takes effect, therapists are scrambling to update their policies. Three patterns are coming up over and over — and most of them are easy to fix. Here is what to look for in your own setup.

The DUAA mistake therapists are making right now

The Data (Use and Access) Act 2025 comes into force on 19 June 2026, and over the past few weeks there has been a noticeable scramble among UK therapists to update their compliance documents.

Most are making real progress. But three patterns are coming up over and over — small mistakes that are easy to make and just as easy to fix once you know to look.

This isn't legal advice. It's an observation about what is and isn't being addressed in the wave of compliance work happening right now.

Pattern one: updating the privacy policy but not the underlying procedure

The temptation, when a new piece of data legislation arrives, is to update the privacy notice that sits on your website. That document is what clients see, so it feels like the right priority. And it is one of the things that needs updating.

But the privacy notice describes what you do. The change DUAA brings is largely about what you actually do behind the scenes — the procedures, the response times, the complaints route. A privacy policy that promises a 30-day SAR response is only worth the paper it's printed on if you have a written procedure to handle one when it arrives.

Many therapists are updating the public document and assuming the underlying process is already in place. Often it isn't. If you couldn't, today, walk a colleague through how you would handle a subject access request that arrived in your inbox right now, the privacy policy update is premature.

Pattern two: missing the new complaints procedure entirely

DUAA introduces a clearer expectation that organisations holding personal data have a documented complaints procedure that data subjects can use. For therapists, this is new. Until now, the complaints process most therapists had in mind was the one their professional body operates — BACP's, UKCP's, and so on.

Those professional body procedures still exist and still serve their purpose. But they are not a substitute for a data-protection-specific complaints procedure that you, as a data controller, run yourself.

This is the area where the most catching-up is needed. The required elements aren't onerous: a clear way for someone to complain, a defined response time, a named person responsible, an escalation path to the ICO if the complainant remains unsatisfied. But it does have to exist, and it has to be visible.

Pattern three: assuming the existing Appropriate Policy Document still does the job

Therapists who already have an Appropriate Policy Document — and most don't — sometimes assume it covers their DUAA obligations because it covers special category data, which is the part of GDPR that gets the most attention.

The APD is genuinely important and DUAA doesn't replace it. But the APD addresses one specific question: what is your lawful basis for processing special category data, and what safeguards do you have around it? It does not, on its own, address the broader procedural and accountability requirements DUAA brings into clearer focus.

So the answer to "do I need to do anything about DUAA if I already have an APD?" is, probably, yes — though what you need is mostly procedural, not another policy document.

What this looks like in practice

The therapists who are in good shape for 19 June tend to have done four things:

  • Reviewed their privacy notice and confirmed every claim in it matches a real procedure they could perform tomorrow
  • Drafted a short, plain-English complaints procedure that explains how someone can raise a data protection concern with them
  • Confirmed their lawful basis for processing remains accurate under the new framework
  • Reviewed any third-party processors they use — platforms, accountants, supervisors with access to anonymised data — and made sure each one is named and described

None of this is dramatic. It is mostly the work of an evening or two for a sole practitioner. But it is the work that the public-facing documents alone don't cover, and it is what the legislation actually expects.

The point isn't to be perfect

DUAA is not designed to catch out small practitioners who are doing their best. The compliance bar for a sole-practitioner therapist is very different from the bar for a 200-person clinic. What the legislation expects is that you have thought about your obligations, written down what you do, and can produce evidence of that thinking if asked.

The therapists most at risk on 19 June are not the ones whose policies have a small wording error. They are the ones whose websites say one thing while their practice does another, and who have no documentation of the gap.

If you have updated your privacy policy in the last month, that's good — and now is a good time to look at what's beneath it.

PolicyDiary

Get your compliance documents sorted in 10 minutes.

PolicyDiary generates all 5 compliance documents tailored to your practice and professional body. £24/year.

Get started →
← Back to all insights