UK GDPR in regulated firms: data protection by design
The intersection of UK GDPR (retained from EU GDPR under the Data Protection Act 2018 and the UK GDPR framework) and financial services regulation creates a compliance matrix that most regulated firms have only partially mapped. Financial services firms hold among the most sensitive personal data of any sector — payment histories, investment portfolios, credit records, insurance claims — and the lawful basis for processing this data is frequently more complicated than it first appears. Regulatory requirements to retain data for defined periods may conflict with UK GDPR data minimisation and storage limitation principles; AML obligations to conduct customer due diligence may intersect with the obligation to respond to subject access requests; and marketing communications frameworks must be reconciled with both FCA financial promotions rules and UK GDPR direct marketing requirements.
The lawful basis question deserves particular attention. Many financial services firms default to 'legitimate interests' as their basis for processing personal data, without conducting the three-part legitimate interests assessment (LIA) that this basis requires. The LIA must identify the legitimate interest, assess whether processing is necessary for that interest, and balance the interest against the individual's rights and reasonable expectations. In a financial services context, the legitimate interest basis may well be appropriate for fraud prevention, internal compliance monitoring, or network security — but it is less clearly appropriate for marketing, profiling, or data sharing with group entities. Firms should review their records of processing activities (RoPA) to ensure that the lawful basis identified for each processing activity is genuine and defensible.
Individual rights obligations — including subject access requests (SARs), erasure, rectification, and objection to processing — create operational demands that many firms have not adequately resourced. A SAR must be responded to within one month (extendable to three months in complex cases), and failure to respond is subject to ICO enforcement. In financial services, SARs are frequently received in connection with actual or anticipated litigation, complaint investigations, or regulatory proceedings, and must be handled with care to ensure that legally privileged material is appropriately identified and withheld. Firms should ensure they have a documented SAR response process, trained staff responsible for coordination, and access to legal advice for complex cases.
The interface between UK GDPR and the FCA's SYSC rules on record-keeping is a persistent source of compliance complexity. SYSC 9 and sector-specific rules (COBS 11.8 for order and trade records, CASS 7 for client money records) impose mandatory retention periods that in some cases extend to seven years or more. These retention obligations provide a lawful basis for continued processing notwithstanding a deletion request, but firms must ensure that data retained for regulatory purposes is not simultaneously being used for commercial purposes — a practice that would undermine the regulatory justification.
Data protection impact assessments
UK GDPR Article 35 requires data protection impact assessments (DPIAs) for processing that is likely to result in high risk to individuals. In financial services, this includes large-scale profiling, automated decision-making with legal or similarly significant effects, and systematic monitoring of publicly accessible areas. Many financial services firms have not embedded DPIAs into their change management processes, meaning that new products, technology implementations, or data sharing arrangements are launched without the required assessment. This is an area of ICO enforcement priority, and firms should review their DPIA policies and governance arrangements.