What Financial Services Firms Need to Know
Data Subject Access Requests (DSARs) have long been a pressure point for financial services firms. They are operationally disruptive, legally sensitive and often triggered at moments of heightened customer dissatisfaction whether that be complaints, arrears, collections or disputes.
With the introduction of the Data (Use and Access) Act (DUAA) and updated guidance from the ICO, the regulatory direction of travel is clear. DSARs are no longer viewed as a procedural data right alone, but as part of a wider framework of transparency, fairness and accountability.
For FCA-regulated firms, particularly in consumer credit, this has important implications.
Why DSARs matter more than firms often realise
In consumer credit, DSARs rarely arrive in isolation. They are frequently linked to complaints, affordability disputes, commission challenges, collections activity or allegations of unfair treatment.
From a regulatory perspective, this makes DSAR handling a proxy for broader governance and conduct standards. How a firm responds including timeliness, completeness and tone can influence not only ICO engagement, but also FCA supervision.
The updated DUAA framework reinforces that DSARs are a customer right that must be respected without friction. Firms that treat DSARs as an inconvenience, or attempt to narrow responses excessively, expose themselves to regulatory risk.
What the DUAA changes in practice
The DUAA does not remove the obligation to respond to DSARs, nor does it lower standards. Instead, it clarifies expectations around proportionality, reasonableness and operational discipline.
Key themes emerging from the updated guidance include:
- clearer expectations around search scope and data identification,
- greater emphasis on timely and well-structured responses,
- stronger scrutiny of refusal or limitation decisions, and
- increased focus on how firms evidence compliance decisions.
For financial services firms, this means DSAR handling must be consistent, defensible and capable of being explained to a regulator.
The link to Consumer Duty and conduct risk
DSARs increasingly intersect with Consumer Duty obligations. Poor DSAR handling can undermine customer trust, exacerbate vulnerability and escalate disputes unnecessarily.
The FCA has made it clear that transparency and fair treatment extend beyond product design and communications. Where customers request access to their data, firms are expected to respond in a way that supports understanding — not confusion or frustration.
In supervision, the FCA is increasingly interested in how DSAR trends correlate with complaints, arrears and remediation activity. High volumes of DSARs following particular events or practices can signal deeper issues in customer outcomes.
Operational challenges firms still face
Despite years of experience, many firms continue to struggle with DSAR execution.
Common issues include fragmented data across systems, inconsistent decision-making, over-reliance on manual processes and a lack of clear ownership. In some cases, DSAR handling is delegated entirely to legal or compliance teams with limited operational insight.
From a regulatory perspective, this creates risk. Firms are expected to understand where customer data sits, how it is used, and why certain information is included or excluded. Inadequate system mapping or weak internal controls can quickly become apparent.
Governance and senior accountability
The DUAA reinforces that DSAR compliance is not just a technical exercise. Decisions around scope, exemptions and refusals require judgement, and judgement implies accountability.
For FCA-regulated firms, this brings DSARs firmly into the governance space. Senior managers should understand DSAR volumes, themes, response times and escalation risks. Boards should be sighted on whether DSAR handling is robust, resourced and consistent.
Where DSAR failures occur alongside conduct issues, regulators are increasingly likely to view this as a systemic weakness rather than an isolated error.
What good looks like now
Firms that manage DSAR risk well treat it as part of their wider customer outcomes framework. They maintain clear data maps, standardised processes and trained teams capable of responding proportionately and confidently.
They also monitor DSAR trends and use them as insight not just compliance metrics. Spikes in requests often tell a story about customer dissatisfaction long before it surfaces elsewhere.
Crucially, they can explain their approach clearly to both the ICO and the FCA.
How ALPH supports firms on DSAR readiness
ALPH Legal & Compliance supports financial services firms with DSAR framework reviews, DUAA readiness assessments, process redesign and governance support. We help firms ensure DSAR handling aligns not only with ICO expectations, but also with Consumer Duty and FCA supervisory priorities.
Under the DUAA, DSARs are no longer a back-office issue. They are a visible test of transparency, fairness and operational control, and firms that treat them as such will be far better placed to manage regulatory risk.