Setting the record straight on GDPR and customer vulnerability data

18 May

Many firms have historically struggled with collecting customer vulnerability data due to a perceived conflict between the FCA’s Consumer Duty regulations and GDPR. Feedback from firms has consistently highlighted uncertainty in this area, with some even reluctant to collect customers’ vulnerability data at all.

That hesitation is now becoming increasingly difficult to justify. A recent joint statement from the FCA and the Information Commissioner’s Office (ICO) has provided fresh clarity: data protection rules do not prevent firms from collecting, recording or sharing vulnerability data. In fact, they should not be seen as a barrier to delivering good customer outcomes.

Cementing its position

This stance certainly isn’t new. As far back as 2015 and Occasional Paper 8, the FCA made it clear that firms can and should capture customers’ vulnerability data appropriately. However, despite this longstanding guidance, uncertainty has remained – often driven by fear of GDPR enforcement. We have heard firms argue that not collecting vulnerability data is safer, because sanctions from the FCA will be far less than those from the ICO.

Back in 2024, the ICO issued a statement to say that Consumer Duty does not require firms to act in a way that is ‘incompatible’ with any regulatory requirements, including data protection law. This latest joint statement with the FCA only reinforces this position.

With Consumer Duty now firmly embedded, this statement reminds firms of their commitments to recognise indicators of vulnerability, record the issues and monitor and review them over the lifetime of products. It also calls on firms to respond to the needs of vulnerable customers and report on this with clear evidence.

Removing the perceived barrier

Data protection law allows firms to use personal information where it is necessary to protect individuals or provide appropriate support. The ICO, in the recent FCA/ICO joint statement, even sets out several lawful bases for firms to process data to identify consumers in vulnerable circumstances. For most financial services firms, the most suitable will be explicit consent.

This means obtaining clear consent – either verbally, digitally or in writing – recording how and when this was obtained and ultimately, being transparent with clients about how the data will be used.

Rather than being a blocker, GDPR provides firms with the framework to confidently gather necessary data in a structured, disciplined and compliant way.

Quality is key

While many firms have focused on whether they can collect vulnerability data, the actual challenge is how well they collect it.

We know that some firms use simplistic vulnerability ‘flags’, drop-down lists or even open text boxes in their CRMs to record that someone is vulnerable. These require a lot of staff training to ensure identical assessment and identification criteria – otherwise results are subjective and inconsistent, which is clearly at odds with GDPR’s accuracy and integrity requirements.

In our view, the best place to start is with objective and consistent assessment of all customers to understand a firm’s true proportion of vulnerable customers and gather the robust data required by both GDPR and Consumer Duty. The most logical and efficient way to do so is through digital customer vulnerability management and by utilising one of the purpose-built systems already available in the market.

Staying secure

Adopting a digital-first approach becomes equally important when you consider the security requirements for sensitive information. Robust IT systems enable firms to not only gather the necessary information in a consistent objective manner, but ensure it is fully auditable, ready for reporting to the regulator or for any future subject access requests or defending vexatious claims.

The right systems will allow firms to capture detailed objective vulnerability data, while producing summarised or scored outputs that can be shared across the distribution chain. In our case, with the MorganAsh Resilience System (MARS), we call it a Resilience Rating. It provides a top-level indication of a customer’s vulnerability without sharing extensive personal data. Finally, any good system should limit access based on role and need.

The call to share

Creating a secure ecosystem for sharing customers’ vulnerability data is a significant opportunity to improve outcomes – and one that both the FCA and the ICO want to see realised. Firms are actively encouraged to collaborate across the distribution chain, sharing individual consumer vulnerability information to ensure customers receive appropriate support throughout the product lifecycle.

This aligns closely with our current work with the CII, contributing to its data sharing taskforce to help develop more standardised data formats and practical guidance. Effective data sharing depends on good quality data and hopefully we can take our learnings from MARS to assist more firms in this area.

Turning hesitation into action

This joint statement should remove any remaining doubt. Firms are not only permitted to collect and use vulnerability data – they are expected to do so, and to share it where this improves outcomes. While the fear of GDPR has undoubtedly slowed progress, it should no longer be a barrier. The real risk now lies in failing to act.

Firms that invest in structured data, robust systems and consistent processes will be better placed to not only demonstrate compliance on both sides, but to deliver the good outcomes required by Consumer Duty.

Andrew Gething

Andrew is the founder and managing director of MorganAsh. Andrew, a recognised consumer vulnerability specialist and champion, is the driving force behind the award-winning consumer vulnerability management tool, MARS – adopted in the financial services, credit and utilities sectors.