DUAA AI Checklist

Guidance to help align AI projects with the UK Data (Use and Access) Act (DUAA) 2025 and UK GDPR. This is not legal advice.

How to use this checklist

  • Treat each section as a gate before moving to the next project stage.

  • Keep the evidence items; they form your audit trail and “transparency pack.”

  • Use ✅ / ⚠️ / ❌ or RAG status in the columns to track progress.

Area Status Owner Evidence link
Purpose & Lawful Basis      
DPIA & Risk      
Data Mapping & Minimisation      
Evaluation & Testing      
Security & Access      
Transparency & UX      
Monitoring & Incidents      
Procurement & Vendors      
Records & Documentation      

1) Purpose & Lawful Basis

  • Evidence to keep: Purpose statement, RoPA entry, lawful‑basis memo, LIA worksheet, transfer assessments.

2) DPIA & Risk Management

  • Evidence to keep: DPIA, risk register, sign‑off note from Senior Responsible Owner (SRO).

3) Data Mapping & Minimisation

  • Evidence to keep: Data map, retention schedule, DPA with processors, data quality report.

4) Technical Architecture & Controls

  • Evidence to keep: Architecture diagram, access matrix, threat model/STRIDE notes, pen‑test report.

5) Evaluation & Testing (Pre‑deployment)

  •  

Evidence to keep: Evaluation plan, metrics dashboard screenshots, model card/policy, test reports.

6) Human‑in‑the‑Loop & Controls

  •  

Evidence to keep: SOPs, user playbooks, explainer specs, appeals workflow.

7) Transparency & UX

  •  

Evidence to keep: Copy decks, screenshots, transparency note, consent logs.

8) Monitoring, Incidents & Change Control

  •  

Evidence to keep: Monitoring runbooks, alert policies, incident logs, versioning records, re‑eval minutes.

9) Procurement & Vendors (incl. Public Sector)

  •  

Evidence to keep: Contract clauses, DPA, DPIA addendum for processors, exit plan.

10) Records, Training & Governance

  •  

Evidence to keep: RoPA entries, training logs, governance minutes, policy PDFs.

Quick‑Start Pack (templates to include)

  • ✅ Purpose & Lawful Basis memo

  • ✅ DPIA template with AI extensions

  • ✅ Evaluation plan & metric catalogue

  • ✅ Model card / decision policy

  • ✅ Transparency note (public) + UX copy

  • ✅ Monitoring & incident runbook

  • ✅ Vendor due‑diligence questionnaire

  • ✅ Exit & portability checklist

Stage Gates (recommended)

Gate 0 — Intent: Purpose, lawful basis, owner named, success criteria written.

Gate 1 — Design: DPIA draft, data map, architecture, evaluation plan v1.

Gate 2 — Pilot Go/No‑Go: Acceptance thresholds set; mitigation plans; governance sign‑off.

Gate 3 — Production Ready: Pen‑test passed; transparency assets ready; monitoring live; support trained.

Gate 4 — Operate & Review: Quarterly re‑evaluation; incident/benefits reports; change approvals.

One‑Page Summary Template

Use‑case:
Owner (SRO):
Lawful basis:
Data sources/fields:
KPIs & thresholds:
Human‑in‑the‑loop points:
Risks & mitigations:
Transparency note URL:
Go‑live date / review cadence:

Tip: Pair this checklist with the AI Readiness & ROI Sprint to prioritise use‑cases and fill each evidence item during the two‑week window.

FAQs

Does DUAA replace UK GDPR?

Do I always need a DPIA?

How do I handle shadow AI?