ICO’s Consultation on Data Protection Complaints Process

What Consumer Credit Firms Need to Know

In 2025, the ICO launched a consultation proposing significant changes to how data protection complaints must be handled. 

For consumer credit firms—where customer interactions are constant, data flows complex, and complaints frequently overlap with credit decisions—these changes carry both opportunity and risk. 

In this blog, we explain the draft proposals, why they matter to credit lenders and brokers, and what your firm should do now to stay ahead.

What the ICO Proposes: Key Elements of the Draft Complaints Process

The consultation outlines a more structured, transparent complaints regime. Key proposals include:

• Accessible complaint routes and clear notices: Firms must publish accessible channels for data protection complaints (online forms, email, phone or postal). Notices should clearly state rights, timelines, escalation routes, and appeal rights.
• Mandatory acknowledgments and progress updates: On receipt of a complaint, firms should acknowledge promptly and issue periodic progress updates until resolution.
• Investigation standards and decision notices: Complaints must be fully investigated, documented, and final decision notices provided with reasons for the outcome and information on next steps/appeals.
• Record-keeping and audit trails: Firms should maintain a complaint log with timestamps, decision rationale, internal escalation records, and customer communications.
• Escalation / independent review rights: Some complaints (especially where refusal is upheld) may need an independent review or appeal path.
• Timeliness: The draft proposes statutory timeframes for acknowledgments, updates, and final decisions (e.g. 7 days to acknowledge, 1 month to decide, etc.).
• Publication and reporting requirements: Firms may be required to report complaint volumes, outcomes and root cause metrics to the ICO.

The consultation remains open until 31st October 2023, with the intention that parts of this become statutory via the Data (Use and Access) Act (DUAA).

Why It Matters to Consumer Credit Firms

1. Volume and complexity of interactions

Credit firms handle underwriting, servicing, arrears, collections, affordability reviews — each of these is fraught with data use. Customers are more likely to complain about how data is used alongside credit decisions.

2. Overlaps with scoring and automated decisions

Many credit decisions rely on automated scoring or profiling algorithms. A data complaint (e.g. about personal data accuracy or fairness) may intersect with how that algorithm reached a decision.

3. Reputational and regulatory risk

If complaints handling is opaque, slow or inconsistent, brand damage and consumer distrust follow. The ICO may also use poor complaint processes as evidence of systemic weakness in supervision.

4. Consumer Duty and outcomes requirement

Under the Consumer Duty, firms must show they monitor and remediate harm. A transparent complaints process is part of evidencing good consumer outcomes.

DUAA, the ICO Audit Framework and Complaints — the intersection

• The DUAA (Data Use & Access Act 2025) is expected to embed new complaints-handling obligations into law. Thus, the consultation’s proposals likely become statutory under DUAA implementation.
• The ICO Audit Framework includes a DSAR / Complaints toolkit. The draft proposals map closely to that toolkit. Firms currently using the audit tracker will find it easier to upgrade processes to the draft standard.
• Because the Audit Framework is “live” today, firms should treat its complaint toolkit as the baseline floor and layer the draft proposed enhancements on top.

What Firms Should Do Now: Readiness Checklist

Below is a practical roadmap to prepare for the final regime:

• Gap assessment

Compare your existing complaints/DSAR process against the draft requirements. Use the ICO’s DSAR/Complaints toolkit as your baseline. Mark missing features (e.g. acknowledgment, escalation, audit trail).

• Redesign complaint workflows

Draft or update your complaint forms, acknowledgment templates, progress-update templates, decision notices, and appeals escalation paths.

• Implement timestamped logging

For each complaint, log submission time, acknowledgment, progress updates, escalation steps, decision date and communication sent. The log must be auditable.

• Train frontline, compliance, collections and credit teams

Ensure all teams who may receive or handle complaints understand the new requirements and escalation triggers.

• Board and senior oversight

Add complaints metrics to management dashboards and board packs now: volume trends, aging of open complaints, root-cause categories.

• Vendor / Introducer alignment

If you use brokers, third-party vendors or introducers, ensure their complaints handling meets equivalent standards or that you can supervise and consolidate complaint logs.

• Mock audits and scenario testing

Run simulated complaints (especially edge cases: refusal, appeal, overlapping credit data dispute) to test your process and documentation.

Evidence You’ll Need to Demonstrate Compliance

When the ICO or auditors assess your complaints process, these are the documents and artefacts they’ll want to see:

• Completed gap assessment and updated process maps
• Complaint-log history (with all timestamps, escalation, decisions)
• Acknowledgment, update and decision notice templates
• Root cause analysis: summaries and remediation actions
• Training records and scripts for staff handling complaints
• Vendor/introducer complaint handling policies aligned with yours
• Board-level reporting, committee oversight, KPIs

Keeping a “Complaints Management Evidence Pack” is wise — a single folder with all relevant documentation, ready for supervisory review.

Practical Example (Credit Firm Scenario)

Imagine a borrower disputes a credit scoring decision, claiming inaccurate data. Under the new regime:

• You’d issue an acknowledgment within the proposed 7 days.
• Provide periodic updates if the investigation stretches.
• Document your investigation (data sources checked, algorithm explanation, any adjustments).
• Issue a decision notice with reasons.
• Offer an internal appeal or escalation route.
• Log every step with timestamps.
• Report the category (algorithm / accuracy / fairness) into complaint MI and trend analysis.

This level of structure ensures transparency and demonstrates compliance with both the draft regime and anticipated DUAA obligations.

How ALPH Legal Can Help

At ALPH Legal we assist consumer credit firms with:

• Gap assessments vs. ICO’s draft complaint process
• Full process redesign: customer forms, acknowledgment, decision notices
• Mock complaint audits and scenario testing
• Training for complaint handling across credit, collections and compliance teams
• Creation of “Complaints Evidence Packs” for internal audits / external review
• Board-level dashboards and MI alignment

If you want a complaint-process readiness review or mock audit before the new rules land, we can help you embed a defensible, auditable complaint process ahead of regulation.

ALPH Legal & Compliance can assist with all aspects of your business’s compliance needs, whether that be compliance structure and policy, internal/external audit, business and regulatory change support, authorisation, supervision or just some general expert advice and guidance!

Take action now with ALPH Legal & Compliance services!

With all the regulatory shifts on the horizon, now is the time to act. Don’t wait until compliance gaps appear—engage with ALPH Legal & Compliance today to ensure your firm is ahead of the curve. Whether you need tailored guidance, compliance support, or strategic insights to drive new business, ALPH Legal & Compliance is your trusted partner in navigating FCA regulations with confidence.