Data protection & AI governance 2025-2026

December 19, 2025

Governing AI agents: What organisations need to consider

January 19, 2026

Data Use and Access Act 2025: What UK Financial Services need to know

January 5, 2026

Expanding Open Banking to Open Finance

The DUAA provides the legal framework to expand Open Banking into broader Open Finance arrangements. It allows the government and regulators to develop regulated data sharing schemes for other financial products through secondary legislation. In time, this could support secure data sharing across areas such as pensions, investments, and insurance.

For firms, this could open the door to more personalised services and deeper customer loyalty. But it also raises the bar for data governance, with greater scrutiny over how shared data is accessed, protected, and used.

Mandatory participation in data sharing

The DUAA enables the UK government to mandate participation in specific data sharing schemes, where this is deemed necessary to support competition, innovation, or improved consumer outcomes. In practice, this means the government can mandate a regulator such as the Financial Conduct Authority (FCA) to design and oversee these schemes, including setting requirements around who must participate and which technical standards must be used.

For established firms, this may involve opening datasets and systems traditionally kept in-house, with greater scrutiny over data quality and access governance. For new market entrants, it creates a more level playing field and faster opportunities to innovate.

Mandatory participation signals a future where secure interoperability is the norm. Organisations should prepare by strengthening third-party due diligence, ensuring transparency for customers, and identifying gaps against emerging Open Finance standards.

A new framework for digital verification services

The DUAA also establishes a regulated framework for digital verification services (DVS), allowing trusted providers to carry out identity and eligibility checks on behalf of financial services organisations under a common set of standards. This aims to streamline onboarding, reduce fraud, and support secure digital journeys.

To adopt DVS effectively, firms must maintain transparency for customers, ensure providers meet UK General Data Protection Regulation (UK GDPR) standards, and retain accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. for verification outcomes. Ongoing supplier oversight will be critical as identity checks increasingly rely on third parties.

DVS provisions came into effect on 1 December 2025, moving them beyond the pilot stage. Service providers and conformity assessment bodies should now refer to the most recently republished versions of the trust framework and supplementary codes. The statutory DVS register is also now in place, replacing the previous non-statutory register.

Updated data protection rules

The Act introduces targeted amendments to the UK GDPR and Data Protection Act 2018, providing more flexibility and clarity. These include:

Stop-the-clock: Pausing statutory DSAR timelines when additional information is needed
Recognised Legitimate InterestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.: Enabling certain processing, such as fraud prevention or safeguarding, without relying on consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed.
Proportionate Data Subject Access RequestA verbal or written request made by a data subject to access their data (in a portable format if requested), be informed about how it is used, to have their data modified if it is incorrect, or to have it deleted. (DSAR) searches: Avoiding unnecessarily exhaustive searches where a practical approach is reasonable

The Act also reforms the Information Commissioner’s Office (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).), with a greater focus on supporting innovation and competition whilst maintaining strong data protection oversight.

These changes deliver greater operational agility for financial firms, simplifying DSAR handling, supporting necessary processing, and enabling responsible innovation without weakening compliance.

Stronger penalties under PECR

The DUAA significantly increases the maximum penalty under the Privacy and Electronic Communications Regulations (PECR) from £500,000 to £17.5 million or 4% of global annual turnover, aligning it with the UK GDPR.

For financial firms using electronic marketing or web tracking, this raises the stakes considerably. Clear consent, accurate marketing lists, and robust cookie management will now be essential to avoid substantial enforcement action.

As digital engagement expands, marketing teams must ensure that compliance remains front-and-centre.

Next steps for organisations

The DUAA signals a future where data sharing is faster, more interoperable, and more tightly governed. Firms that act early will be best placed to innovate confidently and maintain trust as regulatory expectations evolve.

To prepare, organisations should:

Assess readiness for expanded Open Finance participation
Review onboarding and verification processes in line with DVS frameworks
Update risk assessments, policies, and PECR compliance
Monitor new ICO guidance and ensure governance remains robust

Frequently asked questions

What is the Data Use and Access Act (DUAA)?

The DUAA is new UK legislation designed to improve data access, interoperability, and innovation. The DUAA introduces targeted updates to the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, and the Privacy & Electronic Communications Regulations (PECR). Read our early overview of the DUAA for more information

When will the DUAA changes take effect?

The Act has been passed but many elements, including Open Finance implementation and updated ICO guidance, will be phased in through secondary legislation and regulatory rules.

Does the DUAA replace the UK GDPR?

No. It works alongside existing laws such as the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, introducing targeted amendments rather than a full replacement.

Which areas should financial firms prioritise first?

Open Finance readiness, digital verification frameworks, PECR compliance uplift, and governance updates to reflect the ICO’s evolving role.

The DPO Centre has extensive experience working with Finance and Insurance companies, providing compliant data protection solutions tailored to organisational needs. Contact us today to find out more.

Enquire

Fill in your details below and we’ll get back to you as soon as possible