Finance is, by its very nature, a data-intensive profession. Whether you are managing client accounts, processing payroll, sharing information with lenders, or running forecasts that draw on sensitive commercial records, personal data flows through every corner of a finance operation. Yet for some business owners and finance leaders, data protection remains something handled elsewhere, a compliance checkbox sitting with IT or legal, rather than a strategic concern that sits squarely on the CFO’s desk.
That assumption carries real risk. With the DUAA 2025 now in force, the regulatory stakes for potentially getting it wrong have increased.
The Finance Sector Sits at the Centre of Personal Data
Think about the personal data processed by a typical finance function in a day. Client names, addresses, and banking details. Salary records and employment contracts. Credit information, investment histories, and tax references. Add to that the data shared with third-party providers, accountants, payment processors, software platforms, and it becomes clear that finance is one of the most personal data-rich functions of any business.
This is precisely why the sector attracts close regulatory scrutiny. The Information Commissioner’s Office (ICO) does not distinguish between a global bank and an owner-managed business when it comes to the lawful handling of personal data. The obligations under UK GDPR apply regardless of size, and the consequences of non-compliance, financial penalties, reputational damage, and loss of client trust, are felt at every level.
For CFOs and finance leaders, personal data protection is not a distraction from strategic priorities. It is a component of financial risk management that belongs on the same agenda as cash flow, forecasting, and operational resilience.
What are the changes enforced by the Data (Use and Access) Act 2025?
The DUAA 2025 received Royal Assent on 19th June 2025, marking a significant update to the UK’s data protection framework. It amends, but does not replace, the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). The intent is to encourage innovation and reduce unnecessary administrative burden, whilst maintaining strong protections for individuals.
For those working in or around financial services, several provisions are particularly relevant.
For financial services organisations, the DUAA 2025 may streamline their ability to process personal data without always needing a legitimate interest assessment, for example in connection with fraud prevention, information security, intra-group administration, and direct marketing. This is a practical change that reduces friction for finance teams operating across group structures or managing fraud risk, though it does not remove the requirement to handle personal data responsibly.
Regarding enforcement, the changes are somewhat stiffened up. The DUAA 2025 aligns fines under PECR with those under the UK GDPR, raising the maximum enforcement penalty to £17.5 million or 4 per cent of global turnover. For any business that relies on electronic communications, marketing emails, automated notifications, or client correspondence, this alignment is a material escalation in potential financial exposure.
The DUAA 2025 also establishes a regulated framework for digital verification services (DVS), allowing trusted providers to carry out identity and eligibility checks on behalf of financial services organisations under a common set of standards. As more client onboarding moves through third-party verification tools, the obligation to maintain transparency and accountability for those processes rests with the organisation deploying them, not the provider.
There are also new requirements around complaint handling. Organisations will be required to facilitate the creation of a formal complaints mechanism, acknowledge receipt of complaints within thirty days, and take appropriate steps to investigate each complaint without undue delay. For finance businesses with client-facing operations, this is a process change that needs to be built into operational workflows.
Why This Matters to Finance Leaders Specifically
The CFO’s role has expanded well beyond the numbers. Governance, risk, and compliance increasingly fall within the finance leader’s sphere, and data protection is no exception. A significant data breach or an ICO enforcement action carries a direct financial cost, but the downstream impact on client confidence, supplier relationships, and brand reputation can be harder to quantify and longer to recover from.
The best finance leaders treat data protection compliance in the same way they treat any other financial control: not as a burden, but as infrastructure that protects the value of the business.
Bringing in specialist support, whether through an outsourced Data Protection Officer (DPO) or a structured compliance review, is a proportionate investment that removes the uncertainty and puts the right governance in place. The return on that investment shows up in client retention, smoother due diligence processes, and the confidence of operating within the law.
Whether you need someone for a one-off audit or ongoing support, external help often pays for itself in clarity, speed, and confidence that you have covered the right ground. Get in touch to discuss how CSRB can help you use improved privacy and data protection processes for business improvement as well as compliance. Book an initial conversation and follow us on LinkedIn for the latest data protection news.