Consumer protection and dispute resolution

What is the data protection legislation?

UK GDPR and DPA 2018 govern personal data; DUAA 2025 adds rules, including duties for online services to protect children’s data.

Whos does the data protection legislation apply to?

Anyone processing personal data (not domestic), giving rights to individuals and requiring secure handling by controllers and processors

What info does the data protection legislation apply to?

Any data that can identify a person; anonymised data is excluded; covers both electronic and paper records.

Categories of sensitive personal data

race or ethnic origin; • political opinions; • religious or philosophical beliefs; • trade union membership; • genetic data; • biometrics (where used for ID purposes); • health information; • information about sex life; and • sexual orientation.

What are the data protection principles?

• Lawfulness, Fairness & Transparency – Have a legal basis, process fairly, and be clear (e.g., privacy notice).

• Purpose Limitation – Use data only for its original purpose unless consent or legal allowance exists.

• Data Minimisation – Collect only what’s necessary.

• Accuracy – Keep data correct and up to date.

• Storage Limitation – Don’t keep data longer than needed.

• Integrity & Confidentiality – Protect data with proper security.

• Accountability – Be responsible and show compliance (e.g., keep records, publish privacy notices).

What legal basis is required for lawful processing?

• Consent: Must be clear, specific, informed, and easy to withdraw (no pre-ticked boxes).

• Contract: Needed to perform a contract or pre-contract steps.

• Legal Obligation: Required by law.

• Vital Interests: Protect life (rare cases).

• Public Task: For official authority or public interest tasks.

• Legitimate Interests: For business needs unless overridden by individual rights (DUAA eases rules for emergencies, safeguarding, crime prevention).

What rights does the individual have?

• To be informed: About data use, retention, and sharing.

• Access: Request and receive a copy (SAR within 1 month).

• Rectification: Correct inaccurate data.

• Erasure: “Right to be forgotten” (limited cases).

• Restrict Processing: Pause use but allow storage.

• Data Portability: Transfer data securely between providers.

• Object: Stop processing (absolute for marketing).

• Automated Decisions: Right to human review and challenge.

What steps of governance should be taken?

• Keep records, policies, risk registers, and security measures.

• Data Protection Impact Assessment for high-risk data.

• Written agreements with processors; appoint Data Protection Officer if needed.

• DUAA requires easy electronic complaints process.

What is the rule for international transfers

Allowed only if the destination has protection not materially lower than UK standards

What is a breach notification?

Report breaches to ICO if risk exists; notify individuals if risk is high.

Consumer Rights Act 2015

Only fair, clear, and prominent terms bind consumers; unfair terms that disadvantage them are invalid.

What is a complaint?

Any oral or written complaint about a financial service, claiming actual or potential financial loss, distress, or inconvenience

What makes a complaint eligible?

Consumer, small business, charity/trust under limits, CBTL customer, or guarantor.

How long must complaint files be retained for?

3 years

What is a final response?

Within 8 weeks of receiving a complaint:

• A written reply that:

  • Accepts the complaint and offers redress/remedial action, OR

  • Offers redress/remedial action without accepting the complaint, OR

  • Rejects the complaint with reasons.

• Must include FOS leaflet.

• Must tell the complainant:

  • If still dissatisfied, they can refer to FOS within 6 months

What is a written response?

Within 8 weeks of receiving a complaint:

• Explains why final response isn’t ready and gives an expected timeframe.

• Tells complainant they can refer to FOS now.

• Includes FOS leaflet.

What is the Financial Ombudsman Service (FOS)?

• Free, independent, and impartial.

• Resolves disputes that firms cannot settle internally.

• Membership is compulsory for all FCA-authorised firms.

Who can complain to FOS?

• Consumers.

• Micro-enterprises (<10 employees, turnover ≤ €2m).

• Charities (income < £6.5m).

• Trustees (assets < £5m).

• Small businesses (<50 employees, turnover < £6.5m or assets < £5m).

• Guarantors.

What are the types of redress?

Money award - firm pays a specific sum (up to FOS limit)

Directions award - firm takes corrective action eg pay rejected claim, calculate and pay redress, apologise to customer

What must the complainant do before going to FOS?

Must complete the firms internal complaints process and still be dissatisfied with the outcome

What is the FSCS?

Financial Compensation Scheme - UK’s last-resort compensation fund.

• Protects customers of:

  • Banks/building societies

  • Investment firms

  • Insurance companies and intermediaries

• Helps when a firm is insolvent or unable to pay claims.

Who does the FSCS cover?

• Mainly private individuals.

• Also covers small businesses (turnover < £1 million).

What amount of protection can a policyholder receive if they have 100% cover?

Full protection for:

• Third‑party motor

• Employers' liability

• Whole of life assurance

• Term life & critical illness*

• Insured personal pensions*

• Annuities*

• Income protection (PHI)*

• Professional indemnity*

• Claims due to death/injury/sickness*

• Building guarantee policies (100% if firm failed after 8 Oct 2020)

*100% only if firm failed after 3 July 2015 (otherwise 90%).

What amount of protection can a policyholder receive if they have 90% cover (no limit)?

Covers 90% of claims for:

• Motor (first party)

• Pet insurance

• Travel

• Home

• Dental

• Health

• Warranty

• Public liability

• Property insurance

How is the FSCS funded?

Funded by a levy on all FCA‑authorised firms.

Ethical standards

They focus on how to achieve morally right outcomes in specific situations.

CII code of ethics

It is a set of ethical principles designed for insurance and financial services professionals globally.