Data subject access requests (DSARs) are no longer just a data protection issue.
Across consumer credit firms, DSARs are increasingly overlapping with complaints, regulatory scrutiny and wider conduct risk. What was once seen as an operational or legal process now sits much closer to the heart of governance and customer outcomes.
Both the Information Commissioner’s Office and the Financial Conduct Authority are taking a closer interest in how firms manage these interactions. For compliance and operational teams, the expectation is clear. DSARs must be handled consistently, transparently and in a way that aligns with wider complaints and conduct frameworks.
Where DSARs and complaints collide
In practice, DSARs rarely arrive in isolation.
They are often triggered at the same time as a complaint, particularly where customers are challenging affordability decisions, historic lending or collections activity. In these cases, the DSAR becomes part of a broader dispute, not just a request for information.
This creates complexity. The information disclosed through a DSAR can directly influence how a complaint is assessed, escalated or defended. If responses are inconsistent or incomplete, firms can quickly lose control of the narrative.
Customers do not distinguish between internal processes. They expect a coherent, accurate and timely response. Regulators do as well.
The challenge of fragmented data
One of the most common issues firms face is data fragmentation.
Customer information often sits across multiple systems. Application data, communications, call recordings, underwriting notes and collections activity may all be stored separately. When a DSAR is received, pulling this together accurately and consistently can be challenging.
Where processes are manual or poorly coordinated, the risk of omission or inconsistency increases. This can lead to incomplete disclosures, conflicting information or delays in response.
From a regulatory perspective, this is not just a technical issue. It raises questions about data governance, operational control and the firm’s ability to manage customer information effectively.
Consistency and control are under scrutiny
Regulators are increasingly focused on how firms manage DSARs in practice.
This includes how requests are logged, how data is identified and reviewed, and how decisions are made (including by who) about what to disclose. It also includes how DSARs interact with complaints handling, particularly where the same information is being assessed through different processes.
Inconsistent approaches can quickly become visible. A complaint response that references information not included in a DSAR, or vice versa, creates risk. So does a lack of clear audit trail showing how decisions were made.
Firms are expected to demonstrate control. That means having clear processes, consistent application and the ability to explain decisions if challenged.
Where DSARs and Consumer Duty now overlap
DSARs are increasingly becoming a practical test of Consumer Duty in action
At a basic level, a DSAR is about giving customers access to their data. In practice, it reveals something more important, it shows how well a firm understands its own decision-making, how clearly it records customer interactions and how consistently it applies its processes.
This is where the expectations of the Information Commissioner’s Office and the Financial Conduct Authority begin to align.
From an ICO perspective, firms must be able to provide accurate, complete and accessible information. From an FCA perspective, firms must be able to evidence fair treatment, appropriate decision-making and good customer outcomes. In reality, both rely on the same thing: robust, well-governed data.
A DSAR can quickly expose gaps. Missing affordability evidence, inconsistent communications, or unclear decision rationale can all undermine both a firm’s data compliance position and its ability to demonstrate that it has acted in line with Consumer Duty.
It also highlights how information is used, not just how it is stored. If data has been collected but not properly considered in lending, collections or complaints decisions, regulators will question whether customer outcomes have been properly assessed.
In this sense, DSARs are no longer just administrative processes. They are a lens through which regulators can assess how effectively a firm connects data, decisions and outcomes.
Why firms are still getting this wrong
Many firms have invested in DSAR processes, but challenges remain.
In some cases, responsibility sits too narrowly within data or legal teams, with limited operational input. In others, processes exist but are not fully aligned with complaints handling or customer journey oversight.
There can also be a tendency to treat DSARs as standalone events rather than as indicators of broader issues. Rising volumes, repeated requests or links to specific products or channels can all provide valuable insight if analysed properly.
Where that insight is missed, the same issues tend to repeat.
Acting before issues escalate
The risk with DSARs is rarely the request itself. It is what the request reveals.
Firms that take a proactive approach can use DSARs to identify gaps in data quality, process design and governance. This often involves reviewing how information is stored, how systems interact and how responses are coordinated across teams.
It also involves ensuring that complaints and DSAR processes are aligned, so that customers receive consistent and coherent responses.
As regulatory expectations continue to evolve, this level of coordination is becoming essential.
How ALPH Legal & Compliance Can Support
ALPH Legal & Compliance supports consumer credit firms in strengthening their approach to DSARs, complaints and data governance.
We work with firms to review end-to-end processes, identify areas of fragmentation and ensure consistency between data handling and complaints frameworks. This includes DSAR audits, complaints alignment reviews and governance assessments.
As scrutiny from both the ICO and FCA continues to increase, firms that can demonstrate clear control over their data and customer interactions will be far better positioned to manage risk and respond confidently.
To discuss how ALPH can support your firm, get in touch directly.