Choosing the right lawful basis for data processing should be straightforward.
In practice, it is one of the areas where firms most frequently get it wrong.
For consumer credit lenders and brokers, the distinction between legitimate interests and consent sits at the centre of how customer data is used. It affects marketing, lead generation, affordability, account management and complaints handling.
Recent developments under the Data (Use and Access) Act 2025, alongside continued focus from the Information Commissioner’s Office, mean expectations are becoming clearer. At the same time, scrutiny is increasing.
The key challenge is not understanding the definitions. It is applying them consistently in practice.
Start with the purpose, not the preference
One of the most common mistakes is selecting a lawful basis based on convenience.
In reality, the starting point should always be the purpose of the processing.
If the activity is necessary to deliver a product or manage a customer relationship, legitimate interests may be appropriate. If the activity involves giving customers a genuine choice about how their data is used, consent is more likely to be required.
The distinction is not always obvious, but it is critical.
A useful way to frame it is simple. If the processing would reasonably be expected by the customer and is necessary for the service being provided, legitimate interests may apply. If the processing goes beyond that expectation, consent is likely to be the correct route.
Where legitimate interests are typically appropriate
For consumer credit firms, legitimate interests is often appropriate where data use supports core business functions.
This includes areas such as assessing credit risk, preventing fraud, managing accounts and monitoring customer outcomes. In these scenarios, data use is closely linked to the service being provided and is generally understood by customers.
The introduction of recognised legitimate interests under the Act provides additional clarity in certain areas, particularly where the benefit of processing is clear and proportionate.
However, this does not remove the need for careful consideration. Firms still need to be confident that their use of data is necessary and aligned with customer expectations.
Where consent is still required
Consent remains essential in a number of key areas.
Marketing is the most obvious example. Where firms are contacting customers with promotional messages, particularly where those customers have not actively engaged with the firm, consent is typically required.
This is especially relevant for credit brokers and firms relying on third-party leads. Poorly structured consent, unclear data sharing or over-reliance on indirect permissions continue to create significant risk.
Consent is also important where customers are given a genuine choice about how their data is used. If that choice is not clearly presented and freely given, the validity of consent can be challenged.
The risk of getting it wrong
Incorrectly applying lawful bases can have wider consequences than many firms expect.
From an ICO perspective, it can lead to enforcement action, particularly in relation to marketing practices. From an FCA perspective, it can undermine customer outcomes, particularly where data is used to support decisions around affordability or product suitability.
Issues in this area often surface through complaints or data subject access requests. Customers may challenge how their data was obtained or used, and inconsistencies can quickly become visible.
This is where data protection and conduct risk begin to overlap.
Applying the decision in practice
The real challenge is consistency.
Different parts of the business may take different approaches to lawful basis decisions. Marketing teams may rely on consent, while operational teams apply legitimate interests. Without clear alignment, this can lead to conflicting practices.
Firms should aim to apply a consistent framework across the customer lifecycle. This means clearly defining where legitimate interests applies, where consent is required and how these decisions are documented.
It also means ensuring that these decisions are understood across the business, not just within compliance functions.
A simple sense-check
A practical way to test your approach is to ask two questions.
First, would the customer reasonably expect this use of their data?
Second, can the firm clearly explain and justify that use if challenged?
If the answer to either question is unclear, the lawful basis should be revisited.
This is not about applying rigid rules. It is about ensuring that decisions are logical, consistent and defensible.
The link to customer outcomes
Lawful basis decisions are not just a data protection issue.
The Financial Conduct Authority is increasingly focused on how data supports customer outcomes. If data is used in ways that customers do not understand or expect, it can affect trust, decision-making and overall experience.
This is particularly relevant in areas such as marketing, affordability and complaints handling, where data plays a central role.
Firms should therefore consider lawful basis decisions as part of their wider approach to Consumer Duty.
How ALPH Legal & Compliance Can Support
ALPH Legal & Compliance supports consumer credit firms in applying lawful bases in a clear, consistent and practical way.
We work with firms to review data usage across the customer lifecycle, assess where legitimate interests and consent are appropriate and ensure that decisions are properly documented and embedded. This includes support across marketing practices, data governance and Consumer Duty alignment.
As scrutiny continues to increase, firms that take a structured approach to lawful basis decisions will be far better positioned to manage both regulatory and reputational risk.
To discuss how ALPH can support your firm, get in touch with our team directly.