GDPR for Financial Advisers: Client Data, FCA Compliance and Suitability Records

Financial advisers sit at a particularly complex intersection of regulatory regimes. You handle some of the most sensitive personal data imaginable — investment portfolios, pension values, income details, health conditions that affect life cover — all while operating under FCA authorisation, Anti-Money Laundering legislation, and GDPR simultaneously. When these frameworks pull in different directions, knowing which obligation takes precedence can be the difference between a complaint and a clean audit.

This guide covers the key GDPR obligations for financial advisers in the UK, how they interact with FCA rules, and practical steps to build a compliant practice.

---

Client Financial Data and Personal Information

Every piece of information you hold about a client is personal data under GDPR: their name, address, National Insurance number, date of birth, financial circumstances, investment preferences, and risk appetite. Health and medical information disclosed for protection planning or later-life advice is special category data, attracting a higher standard of protection.

Your lawful basis for processing most client data will be contract (you need it to provide the service the client engaged you for) and legal obligation (FCA rules and AML legislation require you to collect and retain certain records). Consent is rarely the right basis for core financial advice data — but it becomes relevant when you use client data for marketing or share it with third parties beyond what the engagement contract requires.

---

FCA Regulation Alongside GDPR

The FCA's Conduct of Business Sourcebook (COBS) and the Senior Managers and Certification Regime (SMCR) impose their own data obligations that run parallel to GDPR. The FCA expects firms to maintain accurate client records, keep suitability files, and retain documentation of advice given.

Where FCA rules require you to keep data, GDPR's storage limitation principle does not override that. Article 17(3) of GDPR explicitly recognises that data retention required by law is a valid reason to decline an erasure request. The FCA's retention requirements therefore provide a clear legal basis for holding client records beyond the point a client might prefer them deleted.

However, FCA authorisation does not give you a blanket exemption from GDPR. The two regimes apply simultaneously, and you must satisfy both. A data breach, for instance, triggers both ICO notification obligations under GDPR and potential FCA notification requirements — particularly where the breach could affect firm integrity or client outcomes.

---

Know Your Customer and Anti-Money Laundering Data

KYC and AML processes require you to verify client identity, understand the source of funds, and maintain ongoing monitoring records. The Money Laundering Regulations 2017 (as amended) impose a legal obligation to collect this data — which means legal obligation under Article 6(1)(c) GDPR is your lawful basis for this processing.

This has important practical consequences. Because the basis is legal obligation rather than consent, clients cannot withdraw consent and halt your KYC processing. Nor can they successfully exercise the right to erasure in respect of AML records — the legal retention requirement overrides it.

AML records must typically be retained for at least five years from the end of the business relationship. Your privacy notice should explain this clearly, including that you have legal obligations to retain certain verification data regardless of the client's preferences.

---

Suitability Reports and Data Retention

FCA rules require you to retain suitability reports and the underlying client information used to produce them. The standard retention period for retail investment advice records is seven years from the date the advice was given (or longer for pension transfer and defined benefit cases, where many firms apply 30-year retention given potential future claims).

Under GDPR, you must document your retention periods and be able to justify them. A written data retention policy — specifying what categories of data are kept, for how long, and why — satisfies both the GDPR accountability principle and the kind of documentation the FCA expects to see in a competent file review.

When the retention period expires, data must be deleted or anonymised securely. For paper files, this means secure shredding. For digital records, it means deletion from all systems including backups, where technically feasible.

---

Sharing Data with Product Providers

When you submit a client application to an insurer, investment platform, or pension provider, you are sharing personal data with a third party. Under GDPR, that third party becomes an independent controller of the client's data (or in some cases, your data processor — though in financial services the former is more common).

Your privacy notice must inform clients about these disclosures. Clients have a right to know which organisations you share their data with, even if you cannot list every provider in advance. Using category descriptions ("insurance providers", "investment platforms") is acceptable where specific names cannot be known at the time the privacy notice is provided.

Where you work with a third-party paraplanning service, marketing firm, or client portal provider, those relationships require Data Processing Agreements (DPAs) under Article 28 GDPR. The DPA sets out what the processor can do with the data, security requirements, sub-processor rules, and data return or deletion obligations when the relationship ends.

---

Pension Transfer Data

Pension transfer advice — particularly defined benefit to defined contribution transfers — involves especially sensitive and complex data. You will typically hold scheme data, transfer value analysis, cash flow projections, health and longevity considerations, and the client's broader financial situation.

Given the enhanced regulatory scrutiny of pension transfer advice and the potential for future complaints many years after the advice was given, many firms apply extended retention periods of 25 to 30 years for this category. Your retention policy should document this rationale explicitly.

The ICO has noted that where a legal dispute is reasonably anticipated, retention of relevant records may be justified even beyond standard periods. For pension transfer cases — where FOS complaints can arise decades later — this is a legitimate consideration.

---

Vulnerable Client Data

The FCA's Consumer Duty and its vulnerability guidance require advisers to identify and appropriately respond to vulnerable clients. This often means recording information about health conditions, cognitive capacity, bereavement, or financial difficulty — all of which may constitute special category data under GDPR.

Special category data requires an additional condition under Article 9 beyond the standard Article 6 lawful basis. For financial advisers, the most applicable conditions are likely:

• Substantial public interest (financial advice to vulnerable clients serves a regulatory purpose)
• Vital interests (in limited emergency circumstances)
• Explicit consent (where the client specifically agrees to the recording and use of their health information)

Whatever condition you rely on, document it. Your privacy notice should explain why you may ask about health or life circumstances and how that information is used and protected.

---

CRM Systems and Data Processing Agreements

Most financial advice practices use a CRM or back-office system — Intelliflo, Curo, Salesforce, Dynamics, or similar. These systems process client personal data on your behalf. Under GDPR, the provider is your data processor, and you must have a DPA in place with them.

Most established financial services CRM providers will have standard DPAs available. Before signing, check:

• Where data is stored (UK/EEA or third country?)
• What security certifications the provider holds (ISO 27001, SOC 2?)
• Whether sub-processors are disclosed
• What happens to your data if you terminate the contract

Tools like Custodia can help you audit your website and digital infrastructure to identify which third-party tools are processing visitor and client data, flagging any that lack adequate data transfer safeguards or privacy documentation.

---

Marketing to Past Clients Under PECR

The Privacy and Electronic Communications Regulations (PECR) apply alongside GDPR to electronic marketing. For email or SMS marketing to past clients, the soft opt-in exemption under PECR may apply if:

1. You obtained the contact details in the course of a sale or negotiations for a sale
2. You are marketing similar products or services
3. The client was given a clear opportunity to opt out at the time their details were collected, and has not subsequently opted out

For financial advisers, this means you may be able to contact past investment clients about new investment or pension services without fresh consent — provided you gave them an opt-out opportunity at outset and they have not exercised it.

However, cold prospecting by email remains prohibited without prior consent. And where you are targeting individuals using profiling or segmentation to determine who receives marketing, ensure your privacy notice and data retention practices support that use.

---

Subject Access Requests

Clients and prospective clients can submit Subject Access Requests (SARs) asking for all personal data you hold on them. You have one month to respond (extendable by two further months for complex requests), and the response must be free of charge.

For financial advice practices, this can mean collating data from your CRM, email systems, file storage, compliance monitoring tools, and any other systems where client data appears. Building a clear data map of where client data lives — and having a documented SAR process — makes this manageable.

You can redact information that relates to third parties (such as other clients mentioned in a meeting note) and information subject to legal professional privilege. But you cannot refuse a SAR simply because providing the data would be inconvenient or commercially sensitive.

Custodia's compliance platform helps financial services firms track their data assets and respond efficiently to data subject requests, reducing the manual effort of SAR responses.

---

Data Breaches and FCA Reporting Obligations

Under GDPR, you must notify the ICO of personal data breaches within 72 hours where the breach is likely to result in risk to individuals' rights and freedoms. High-risk breaches must also be communicated directly to affected individuals without undue delay.

Financial advisers face a dual reporting obligation. The FCA also expects notification of significant data incidents — particularly where they affect the firm's systems and controls or could lead to client harm. FCA Principle 11 (relations with regulators) requires firms to disclose anything the FCA would reasonably expect to know.

In practice, this means your breach response procedure should address both ICO and FCA notification, and you should determine at the outset of an incident whether it meets both thresholds. Keep a record of all breaches, even those that do not meet the ICO notification threshold — the accountability principle requires a log.

---

Offshore Client Data Transfers

Where you have clients based outside the UK or EEA, or where you use technology providers storing data in third countries, GDPR's international transfer restrictions apply.

Post-Brexit, the UK's own international transfer framework — incorporating the UK GDPR and the ICO's International Data Transfer Agreement (IDTA) — applies. Transfers to countries with UK adequacy decisions are straightforward. Transfers to others (including the US, absent a specific adequacy finding) require appropriate safeguards such as Standard Contractual Clauses or the IDTA.

Review your technology stack carefully. Cloud storage, email platforms, and CRM systems frequently process data on servers in multiple countries. Your privacy notice should reference international transfers and the safeguards in place.

---

GDPR vs Legal Obligations: The AML/Erasure Conflict

One of the most practically important conflicts for financial advisers arises when a client requests erasure of their data — and you have AML obligations to retain it.

The answer is clear under GDPR: where processing is necessary for compliance with a legal obligation, the right to erasure does not apply. You can (and must, under AML rules) retain KYC verification data for the required period, even if the client requests deletion.

However, you should respond to the SAR or erasure request explaining this, identifying the specific legal obligation (the Money Laundering Regulations) and the retention period. A bare refusal without explanation risks an ICO complaint even where the underlying decision to retain is correct.

Similarly, FCA-required suitability records override any client preference for erasure during the mandatory retention period. After that period expires, there is no ongoing justification for retention, and data should be deleted.

---

Practical Compliance Checklist for Financial Advisers

Data governance foundations

• Written data retention policy covering all record categories (client files, suitability reports, AML records, correspondence)
• Data map identifying where client data is stored and processed
• DPAs in place with all data processors (CRM, back-office, paraplanning, marketing providers)

Client-facing obligations

• GDPR-compliant privacy notice provided at client onboarding, covering all processing activities including AML, marketing, and data sharing with product providers
• Clear process for handling SARs, erasure requests, and rectification requests within statutory timescales

Security and breach response

• Documented data breach response procedure covering ICO notification, FCA notification, and client communication
• Written log of all data incidents (reportable and non-reportable)
• Regular access reviews to ensure only authorised staff can access client files

Marketing compliance

• Records of marketing consent or soft opt-in basis for all contact lists
• Clear opt-out mechanism in all electronic marketing
• Separation of transactional and marketing communications

Ongoing monitoring

• Annual review of DPAs as providers update their terms
• Staff training on GDPR, PECR, and data breach procedures
• Periodic review of data held to delete records past their retention date

Scan your firm's website and client-facing digital infrastructure for free at https://app.custodia-privacy.com/scan to identify trackers, cookies, and third-party data flows that may need attention in your privacy documentation.

---

This guide provides general information about GDPR obligations for financial advisers and does not constitute legal or regulatory advice. Consult a qualified solicitor or compliance consultant for advice specific to your firm's circumstances.