What consumer-credit firms must do (and how to show it)
The ICO’s Data Protection Audit Framework (published October 2024) gives firms a practical checklist and audit trackers for assessing data-protection maturity across nine control areas. For consumer-credit firms — who process large volumes of highly sensitive personal and financial data across origination, servicing and collections — the framework is therefore an immediate, practical baseline. At the same time the UK’s Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025, introduces new statutory requirements that directly affect how regulated firms collect, process, and share customer information.
Below is an overview of what the DUAA requires that is most relevant to consumer-credit firms, how it interacts with the ICO audit framework, and practical steps (with evidence examples) to demonstrate compliance to auditors, senior management and the regulator.
What the DUAA changes — key points for credit firms
Phased implementation and transitional approach.
The DUAA is phased in across 2025–26. The ICO will publish staged guidance and consultations interpreting its provisions. Firms must plan for a rolling implementation rather than a single cut-over.
New complaints-handling expectations.
DUAA embeds statutory expectations for how data-protection complaints must be handled — including accessible procedures, acknowledgement and updates, and timely outcomes. The ICO’s ongoing consultations provide guidance on new minimum timeframes, so firms should now update their DSAR and complaints procedures accordingly.
Automated decision-making and AI governance.
DUAA clarifies and, in places, loosens the strictness of the old Article 22 GDPR ban on fully automated decisions. However, it adds stronger obligations around transparency, fairness and explainability. Firms using credit scoring or affordability algorithms will need updated DPIAs, model documentation, and bias testing logs.
New lawful-basis categories and data-sharing duties.
DUAA introduces the concept of “recognised legitimate interests” and modernises data-sharing and access rules. Credit brokers and lenders must re-map lawful bases for processing and update contracts with introducers, credit reference agencies, and third-party processors.
Active ICO oversight and updated toolkits.
The ICO has confirmed that its audit toolkits and guidance will be updated to align with the DUAA — meaning firms that embed the 2024 frameworks now will be well positioned to meet the upcoming requirements.
How the ICO Audit Framework supports DUAA compliance
The ICO’s nine toolkits cover the key areas DUAA will impact most — accountability, records management, information security, training, data sharing, DSARs and complaints, breach management, AI governance, and age-appropriate design. Firms should perform an internal audit using these toolkits and then map identified gaps to DUAA’s new obligations, particularly around AI, data sharing, and complaints handling.
DUAA readiness plan for consumer-credit firms
Run the ICO audit trackers.
Start with the Accountability toolkit. Document governance structures, role allocations, data-flow mapping, and DPIAs. This will form the baseline for your DUAA compliance evidence.
Update DSARs and complaints processes.
– Introduce formal acknowledgement and progress updates.
– Include clear escalation steps and closure summaries.
– Maintain an auditable log of all requests, acknowledgements, and responses.
Strengthen AI and automated decision-making controls.
– Conduct DPIAs for scoring or affordability algorithms.
– Maintain explainability reports, bias testing evidence, and validation logs.
– Ensure suppliers provide contractual audit rights and model transparency commitments.
Re-map lawful bases and update contracts.
Review “legitimate interest” assessments in light of DUAA’s updated list, and ensure supplier and introducer contracts reflect the Act’s data-sharing transparency requirements.
Enhance breach management and reporting.
Revisit incident response policies, ensuring encryption, access control, detection, and escalation mechanisms are robust — especially for sensitive credit data.
Evidence board oversight and senior accountability.
Maintain a DUAA readiness tracker and provide board updates with progress metrics, risk ratings, and remediation evidence.
Demonstrating adherence: what evidence the ICO will expect
- Completed ICO toolkit trackers and documented remediation plans.
- Board minutes and risk reports showing DUAA review discussions.
- Updated DPIAs and AI model documentation.
- DSAR and complaints logs (with timestamps).
- Revised third-party agreements and lawful-basis registers.
- Training and competence records across key operational teams.
Keeping these in a single “DUAA Evidence Pack” will streamline audits and regulatory engagement.
The Nine ICO Toolkits (And What They Mean in Credit)
Below is a brief walkthrough of each toolkit with observations on how consumer credit firms should think about them:
| Toolkit | Key Focus | Relevance / Risks for Credit Firms |
|---|---|---|
| Accountability | Governance, oversight, DPIAs, mapping responsibilities | Ensuring clear roles (e.g. MLRO / Data Protection Officer), escalation, audit trail |
| Records Management | Documenting processing, retention policies | Credit firms must map data from loan origination, credit checks, arrears, etc |
| Information & Cyber Security | Technical and organisational security controls | Protecting sensitive financial personal data is high risk |
| Training & Awareness | Staff education, phishing, handling customer data | Many compliance failures stem from weak staff awareness |
| Data Sharing | Sharing with third parties, intermediaries, affiliates | Credit firms often share credit data or use third parties (e.g. brokers) |
| Requests for Data | DSARs, data subject rights, access / portability | Volume of requests may spike; must be handled accurately and timely |
| Personal Data Breach Management | Detection, reporting, remediation | Breaches in credit portfolios are high-impact; must have robust response plans |
| Artificial Intelligence | Algorithmic decisions, explainability, fairness | Increasing use of credit scoring, AI / ML models will attract scrutiny |
| Age-Appropriate Design | For processing minors or vulnerable persons | Credit is often digitally enabled; need consideration for consumer vulnerability |
Common Gaps and Pitfalls in Credit Firms
From reviewing public commentary and sector commentary, common issues include:
- Incomplete data-mapping: Not fully understanding all flows of customer data across systems, third parties, and affiliates. This aspect is both vital to DUAA compliance but also your Firm’s Consumer Duty… ALPH can help you get both aspects of this right from the outset!
- Weak DSAR controls: Delays or errors in handling subject access requests, especially where data sits across legacy systems.
- Cybersecurity disconnects: For example, inadequate segmentation or encryption of sensitive data (credit scores, financial history). Full policy reviews and documentation will help guide your Firm to what it needs and sector best practice, ALPH can help you work through not only what you do in practice and ensure appropriate Policy to Operational transition but also ongoing monitoring and audit to ensure you are still getting it right.
- Lack of DPIAs / algorithmic oversight: Especially where underwriting models are changing, or decisions made by AI/ML.
- Inconsistent vendor oversight: Third-party providers of KYC, credit scoring, data enrichment may lack strong data governance.
Where ALPH Legal & Compliance can help
At ALPH Legal & Compliance, we help consumer-credit firms interpret and operationalise new regulatory expectations. Our services include:
- DUAA readiness assessments and evidence-pack creation.
- Full audit support using the ICO toolkits.
- Reviews of DSAR, complaints, and AI governance frameworks.
- Contract and lawful-basis re-mapping.
- Ongoing compliance oversight and monitoring.
Our specialists work directly with compliance leaders and firm boards to ensure DUAA compliance becomes demonstrable, documented, and defensible — before the ICO comes knocking.
Contact our team today and take control of your compliance future!
**Sources and further reading:**
[GOV.UK — Data (Use and Access) Act 2025 overview](https://www.gov.uk/)
[ICO — Data Protection Audit Framework](https://ico.org.uk/)
[ICO — DUAA Consultation updates](https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/08/ico-launches-consultations-for-data-use-and-access-act-2025-amendments/)
Lexology — “Data (Use and Access) Act 2025: the UK’s data reform explained”