For many firms, the implementation of the Data (Use and Access) Act 2025 (DUAA) may feel like a completed project.
Privacy notices have been reviewed. Policies have been updated. Internal communications have been circulated.
However, one of the biggest risks facing firms is assuming that compliance ends there.
The reality is that the DUAA is not simply a legislative update. It represents a shift in how organisations are expected to govern, use and justify their use of personal data. For consumer credit lenders and brokers, the impact extends far beyond legal documentation and into day-to-day operational practice.
The question compliance teams should be asking now is simple: Have operational processes evolved alongside the policy changes?
Moving beyond policy updates
Whenever significant legislative changes occur, firms naturally focus on documentation.
Privacy notices, data protection policies and internal guidance are reviewed to ensure they reflect the latest requirements. While this is necessary, it is only the starting point.
Regulators are rarely interested in what a policy says if operational practice does not support it.
The Information Commissioner’s Office continues to emphasise accountability and demonstrable compliance. This means firms should be able to evidence not only what their policies require but how those requirements are embedded into business operations.
For many organisations, this is where the real work begins.
Reviewing lawful basis decisions
One of the most significant areas affected by the DUAA is the application of lawful bases for processing.
The introduction of recognised legitimate interests has prompted many firms to revisit historic assumptions around consent and legitimate interests. However, updating policy wording is not enough.
Compliance teams should be reviewing how lawful basis decisions are made in practice and whether those decisions remain appropriate across different business functions.
This is particularly relevant in areas such as:
- lead generation;
- marketing communications;
- customer onboarding;
- affordability assessments; and
- customer account management.
A lawful basis that appears appropriate in one context may not be appropriate in another.
Consistency is critical.
Marketing remains a key risk area
Marketing and lead generation continue to attract significant regulatory attention.
The DUAA has not reduced expectations around consent. In fact, the continued focus from the ICO suggests firms should be paying closer attention to how consent is obtained, recorded and relied upon.
Consumer credit firms often operate within complex distribution models involving brokers, introducers, affiliates and lead generators. This can create uncertainty regarding who obtained consent, what the customer was told and how information may be used.
Firms should ensure that existing arrangements remain aligned with both ICO expectations and wider Consumer Duty requirements.
The ability to demonstrate a clear audit trail remains essential.
Complaints handling and data governance
An area that is sometimes overlooked is the relationship between data governance and complaints handling.
Many complaints involve disputes about information held by the firm, how decisions were reached or how customer information has been used.
The DUAA reinforces the importance of maintaining accurate, accessible and well-governed records.
This is particularly important where complaints relate to:
- affordability assessments;
- credit reporting;
- customer communications;
- vulnerability considerations; or
- collections activity.
Poor data governance can quickly become a complaints issue, and complaints issues can quickly become regulatory issues.
DSARs remain a valuable health check
Data Subject Access Requests continue to provide valuable insight into operational effectiveness.
A well-managed DSAR process demonstrates that a firm understands its data, can locate information efficiently and can explain how decisions have been reached.
Conversely, difficulties responding to DSARs often reveal wider governance weaknesses.
Many firms are increasingly finding that DSARs act as an early warning system for issues relating to data quality, record keeping and operational consistency.
From both an ICO and FCA perspective, these insights should not be ignored.
The growing overlap with Consumer Duty
One of the most important developments over the past year has been the growing alignment between data governance and customer outcomes.
The Financial Conduct Authority is increasingly focused on the quality of the information firms use to make decisions. Whether assessing affordability, identifying vulnerability or resolving complaints, firms rely on data.
If that data is inaccurate, incomplete or poorly governed, the quality of customer outcomes is likely to be affected.
This means that data protection is no longer simply an ICO issue, it is increasingly becoming a Consumer Duty issue as well.
What firms should be doing now
Rather than treating the DUAA as a completed implementation project, firms should use this period to assess whether operational processes remain aligned with regulatory expectations.
This includes reviewing:
- lawful basis decisions;
- marketing and lead generation controls;
- DSAR processes;
- complaints handling procedures;
- data governance frameworks; and
- staff understanding of data-related responsibilities.
Most importantly, firms should be confident that they can explain not only what they do with customer data, but why they do it and how those decisions support good customer outcomes.
How ALPH Legal & Compliance Can Support
ALPH Legal & Compliance supports consumer credit firms in reviewing the operational impact of the Data (Use and Access) Act 2025 and ensuring that data governance frameworks align with both ICO and FCA expectations.
We work with firms to assess lawful basis decisions, review marketing and lead generation practices, strengthen complaints and DSAR processes and ensure that data governance supports good customer outcomes throughout the customer lifecycle.
As regulatory scrutiny continues to increase, firms that can clearly demonstrate how data is governed, used and monitored will be far better positioned to manage both compliance and conduct risk.
To discuss how ALPH can support your firm, get in touch directly.