Many firms question whether they can record and share data about vulnerable customers without falling foul of GDPR. The joint FCA/ICO statement of March 2026 made clear that data protection law is not a barrier but an enabler.
Drawing on the CII's recent practical guide to GDPR and data privacy, three of the guide’s co-authors – Andrew Gething of MorganAsh, Robert Bell, and Vanessa Riboloni of the CII – move the conversation from “are we allowed?” to “how can we do this well?”.
Overview
Introduction: customer vulnerability data requirements
Proactive and reactive data collection
Data accuracy – inferred data, objectivity and consistency
Why explicit consent is the preferred lawful basis
When explicit consent is not practical – scenario matrix
Data minimisation – what to store and at what level
Deletion, retention and subject access requests
Sharing data within and between firms – tiered access
Robert Bell
Founder of RB Compliance Consultancy. FCA and UK GDPR compliance expert and author of A Practical Guide to the FCA's Consumer Duty. Co-author of the CII guide, Data privacy for customers in vulnerable circumstances.
Andrew Gething
Founder and managing director of MorganAsh, a leading provider of digital vulnerability management and medical underwriting services. Recognised expert in consumer vulnerability and creator of the MorganAsh Resilience System (MARS). Co-author of the CII guide, Data privacy for customers in vulnerable circumstances.
Vanessa Riboloni
Head of research and insight at the Chartered Insurance Institute, where she leads initiatives to support the development of professional standards, good practice and advocacy across the insurance and financial planning sectors. Co-author of the CII's Managing customer vulnerability in insurance and personal finance: A practical implementation guide – released in November last year and now established as the blueprint for vulnerability management across multiple sectors – as well as the data privacy guide we discus on this webinar.
Next webinar
In our next webinar, we look at how proactively supporting vulnerable customers can drive real commercial value beyond regulatory compliance. We explore how embedding vulnerability into business strategy strengthens customer relationships, improves outcomes, and reduces complaints and inefficiencies, while using data and inclusive design to enhance decision-making, brand reputation, and long-term performance.