Consumer Data Right (CDR) participant accreditation + compliance

Who must comply

Designated data holders + accredited data recipients in banking, energy, and (in scope) non-bank lending and telecommunications.

What triggers it

Becoming a data holder or accredited recipient.

When due

Continuous; incident notification within 30 days.

Evidence required

Accreditation, CDR Policy, Privacy Safeguard compliance documentation, incident register.

Max penalty

Civil penalties up to ~$50M / 30% turnover for serious breaches