The newly passed Data Protection and Digital Information (No. 2) Act, more commonly known as the DUA Act, is now law. After months of consultation and revisions, the legislation was approved in early July 2025 and has officially begun reshaping how organisations across sectors collect, manage and act on personal data.
The DUA Act, while designed to simplify the UK's data landscape and ease compliance burdens, introduces new complexities for firms using artificial intelligence (AI), automation, and health-related data in their underwriting and policy decisions.
A Changing Data Landscape: Key Provisions of the DUA Act
While many headlines have focused on the DUA Act's divergence from GDPR, its real impact on life insurers lies in three interrelated areas:
· How firms handle data subject access requests (DSARs)
· The growing role of automated decision-making (ADM) and AI
· Evolving expectations around the use of data, particularly health data, in underwriting.
Clarifying DSAR Obligations
The Act introduces more practical and workable standards for DSARs. Insurers are now expected to conduct "reasonable and proportionate" searches when responding to access requests. Rather than scouring every system and archive, firms are empowered to take a more focused and efficient approach – one that aligns with operational realities, while still respecting individual rights.
In addition, the legislation introduces a stop-the-clock mechanism. If a request is unclear or the identity of the requester needs to be verified, insurers can now pause the statutory timeframe to respond. For life insurers, who often deal with large volumes of historic or third-party data, this added flexibility can make DSAR compliance more manageable – assuming they have the internal processes and documentation to support it.
The key question is whether insurers are equipped to take advantage of these new provisions without risking non-compliance. That will require not only clear procedures, but systems capable of indexing, filtering, and retrieving data with precision.
Expanding the Scope of Automation, But...
The DUA Act opens the door to more widespread use of automated decision-making. This is a clear recognition of how AI and automation are transforming underwriting, enabling faster decisions, reducing operational costs, and improving the customer experience. But expansion is not universal...
When it comes to decisions that rely on "special category data" – particularly health data, which lies at the heart of life insurance – the rules remain stringent. Insurers must either obtain explicit consent, or demonstrate a substantial public interest to proceed. When automated decisions will significantly affect individuals, insurers must provide transparency: explaining the logic, enabling challenges, and offering meaningful human review.
The implications are clear. Automation can enhance underwriting efficiency for standard cases, but cannot yet replace human judgment for complex or sensitive applications. Insurers must tread carefully, ensuring that automation is applied where appropriate – and that human oversight remains where it's needed most.
Sapiens has seen first hand how leading insurers are building hybrid models – leveraging automated risk scoring and decisioning tools, while embedding human review at critical touchpoints. That's the balance regulators are encouraging and it's also the model most likely to foster customer trust.
A Broader View of Data, But Not Without Limits
Finally, the Act signals a shift in how insurers can use data for underwriting and risk assessment. In principle, the door is now open to a wider array of data sources – including lifestyle data, wearables, and other non-traditional inputs. This could support more personalised underwriting and dynamic pricing models.
But the broader scope comes with higher expectations. Insurers must still comply with the principles of data minimisation and purpose limitation, ensuring that any data collected is relevant, accurate, and used transparently. And when it comes to special category data, the existing guardrails remain in place.
This creates both opportunity and tension. The promise of richer, more dynamic risk modelling is real – but it will only be viable if insurers can demonstrate rigorous governance over how that data is sourced, processed. and explained. In the age of algorithmic underwriting, explainability and accountability are no longer optional.
Preparing for the Future: Strategic Considerations
The DUA Act marks the beginning of an evolving regulatory environment, one in which the Information Commissioner will have enhanced powers and where further guidance is expected through 2026 and beyond. Insurers should see this as an inflection point – an opportunity to build systems and strategies that are not only compliant, but future-ready.
Insurers need help navigating these transitions with confidence. A capable software vendor can support explainable AI, privacy-aware decisioning, and flexible data governance. Whether you're automating processes, responding to DSARs or integrating new data sources, you'll need the tools and expertise to do it right.
In a world where data is both a strategic asset and a regulatory risk, insurers must ask themselves: are we prepared to move fast, but responsibly? The DUA Act is only the beginning. The choices life insurers make today will shape the trust, efficiency, and resilience of their operations for years to come.
By clicking "Learn More" you agree to the data protection statement below and the sharing of your contact details with Sapiens.
DATA PROTECTION STATEMENT
Your privacy policy – Please read carefully
We set out below how and the basis under which we, Incisive Media*, will communicate with you. In our Privacy Policy we explain how we may use your data.
For subscriptions, events, sponsored content and resources, we will use the lawful basis of 'legitimate interests' and we will use the contact details supplied to us to market to you regarding your trial or subscription, reader research, events and other related products. You will always be offered the option to change your contact preferences.
Where you request a whitepaper or content published by one of our third party partners or attend a sponsored event which Incisive Media hosts, we will identify the third party or sponsors to you at the time and then pass on your contact details to them. They will contact you directly and their use of your data will be governed by their own privacy policy. Events may attract additional sponsors after bookings have opened and after the date you have signed up to attend, but we will identify all sponsors to you by email before the event.
Please note that if you are a sole trader or other partnership, you will not receive information regarding Incisive Media's other brands or from third parties until such time as we have your consent.
