Governance, Risk & Compliance

UK GDPR for Financial Services Firms: A Practical Compliance Guide

How UK GDPR applies to financial firms: the six principles, lawful bases, individual rights, the 72-hour breach rule and the data protection fee.

10 min read Published 17 Jul 2026
UK GDPR for Financial Services Firms: A Practical Compliance Guide

Financial services firms are among the most data-intensive businesses in the country. Onboarding a customer means collecting identity documents, financial histories, source-of-funds evidence and sometimes health information for protection or annuity products. All of that is personal data, and much of it is sensitive. It is governed by the UK GDPR and the Data Protection Act 2018, and it is supervised by the Information Commissioner's Office (ICO), a regulator entirely separate from the Financial Conduct Authority.

That dual footprint is what makes data protection distinctive for regulated firms. A single record, say a suitability file, must satisfy FCA record-keeping expectations while also respecting a customer's rights under the UK GDPR to access, correct or in some cases erase their data. The two regimes usually pull in the same direction, but not always, and the points where they meet are where compliance teams most often come unstuck.

This guide walks through the parts of the UK GDPR that matter most to financial firms: the six data protection principles, the lawful bases you can rely on, special category data, the individual rights you must honour, the 72-hour personal data breach rule, the data protection fee and the accountability duty. Every rule, reference and figure below has been verified against the ICO's own guidance or the legislation. Where a requirement is a matter of judgement rather than a fixed number, we say so.

The two laws, and the two regulators

Data protection in the UK rests on two instruments that work together. The UK GDPR sets out the core rules for processing personal data. The Data Protection Act 2018 supplements it, filling in the detail that the GDPR leaves to national law, setting out exemptions, and establishing the powers and functions of the Information Commissioner. The ICO's guidance is explicit that the UK GDPR is read alongside the Data Protection Act 2018.

For a financial firm this means you are answerable to two regulators on the same book of business. The FCA cares that you keep orderly records, treat customers fairly and manage financial crime risk. The ICO cares that the personal data inside those records is collected lawfully, kept securely and used only for legitimate purposes. Neither regulator disapplies the other. A firm can be fully compliant with FCA rules and still breach the UK GDPR, and vice versa.

The practical consequence is that data protection cannot be delegated to a single privacy notice on the website and then forgotten. It has to be built into onboarding, marketing, complaint handling, outsourcing arrangements and record retention. The sections that follow set out the building blocks, starting with the principles that sit at the heart of the whole regime.

The six data protection principles

Article 5 of the UK GDPR sets out the principles that underpin everything else. There are six principles governing how you handle personal data, plus a separate overarching accountability principle. The ICO describes them as the principles that lie at the heart of the general data protection regime, informing everything that follows. Infringing the basic principles is subject to the highest tier of fines, so this is not abstract theory.

For a financial firm, three of these principles do the most day-to-day work. Purpose limitation stops you quietly reusing customer data collected for onboarding to feed a marketing campaign. Data minimisation challenges the habit of collecting everything just in case. Storage limitation forces a conversation with your FCA-driven retention schedule, because you may not keep personal data in identifiable form for longer than you need it, even where a separate rule permits or requires retention for a defined period.

The table below sets out the six principles in the ICO's own terms. The seventh element, accountability, is not a processing rule but an obligation to be able to demonstrate compliance with the other six. It is covered separately below.

PrincipleWhat Article 5(1) requires
Lawfulness, fairness and transparencyPersonal data must be processed lawfully, fairly and in a transparent manner in relation to the individual.
Purpose limitationData must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.
Data minimisationData must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
AccuracyData must be accurate and, where necessary, kept up to date; inaccurate data must be erased or rectified without delay.
Storage limitationData must be kept in a form permitting identification for no longer than is necessary for the purposes for which it is processed.
Integrity and confidentialityData must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, using appropriate technical or organisational measures.
The six data protection principles as set out in Article 5(1) of the UK GDPR, per ICO guidance.

Choosing a lawful basis

You cannot process personal data at all unless you have a lawful basis for doing so. The ICO is clear that you must identify at least one of the bases in Article 6 whenever you handle personal information. There are six to choose from, and the choice matters, because it shapes which rights the individual can exercise and how much freedom you have.

Three of the six are the workhorses for financial services. Contract covers the processing needed to deliver the product or service the customer has asked for, such as administering an account or executing a trade. Legal obligation covers processing you must carry out to comply with the law, which for a regulated firm is a broad category taking in anti-money-laundering customer due diligence and various FCA-mandated activities. Legitimate interests is the most flexible basis, available where processing is necessary for your interests or a third party's, unless those are overridden by a good reason to protect the individual; it typically supports activities such as fraud prevention and certain internal analytics.

It is worth being precise about what necessary means, because it is often misread. The ICO's guidance says necessary does not mean the processing has to be absolutely essential, but it must be more than merely useful and more than standard practice. It has to be a targeted and proportionate way of achieving a specific purpose. If you could reasonably achieve the same aim in a less intrusive way, the processing is not necessary and the basis does not hold. Consent, by contrast, is often the wrong basis for a regulated firm, because it must be freely given and can be withdrawn, which sits awkwardly with processing you are legally required to perform.

Lawful basis (Article 6)Typical use in a financial firm
ConsentOptional marketing preferences and other genuinely voluntary processing the customer can decline.
ContractProcessing necessary to deliver the agreed product or service, or to take pre-contract steps at the customer's request.
Legal obligationProcessing required to comply with the law, such as anti-money-laundering due diligence and regulatory reporting.
Vital interestsRare in practice; processing necessary to protect someone's life.
Public taskGenerally limited to public authorities exercising official functions with a clear basis in law.
Legitimate interestsNecessary processing for the firm's or a third party's interests, such as fraud prevention, where not overridden by the individual's interests.
The six lawful bases in Article 6 of the UK GDPR, with common financial-services examples.

Special category data needs extra care

Some personal data is singled out for extra protection. The UK GDPR treats certain types as likely to be more sensitive, and the ICO lists them as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, together with genetic data, biometric data used for identification, and data concerning health, a person's sex life or their sexual orientation.

Financial firms encounter special category data more often than they expect. A protection or annuity application can turn on health information. Biometric checks used in digital onboarding produce biometric data. Even inferred data can qualify if it reveals something about one of the protected categories. Whenever you process it, the ICO's guidance is that you must identify both a lawful basis under Article 6 and a separate additional condition for processing the special category data. One is not enough on its own.

The same layered approach applies to criminal offence data. Where you process information about criminal convictions or offences, you need a lawful basis and, unless you have official authority to process it, an additional condition. For firms running sanctions and adverse-media screening, this is a live issue, and the lawful grounds for that processing should be documented rather than assumed.

The eight individual rights

The UK GDPR gives individuals a set of rights over their personal data, and financial firms must have operational procedures to honour them, not merely a policy that says they will. The ICO sets out eight rights: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and rights related to automated decision-making and profiling.

The right of access, exercised through a subject access request, is the one most firms handle regularly. The ICO's guidance is that you must respond without undue delay and within one month of receiving the request. You can extend that by up to a further two months where the request is complex or you have received several from the same person, but you must tell the individual about the extension, and explain why, within the original month. There is no fee for a standard request.

The right to erasure, often called the right to be forgotten, is where the FCA overlap becomes sharpest. It is not an absolute right. The ICO confirms that a firm can refuse to erase data where it is legally obliged to keep it, for example to comply with financial or other regulations. So a customer cannot use an erasure request to force deletion of records you are required to retain under FCA rules or the Money Laundering Regulations. What you must do is apply the exemption deliberately, record why it applies, and erase anything that genuinely falls outside it, rather than treating any request as an all-or-nothing decision.

Time to respond to a subject access request

The standard response deadline is one calendar month from receipt, extendable by up to two further months for complex or multiple requests, per ICO guidance.

Standard response (months)1%
Maximum permitted extension (months)2%

The 72-hour personal data breach rule

A personal data breach is more than a lost laptop or a hack. The ICO defines it as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. That includes accidental causes such as an email sent to the wrong recipient, not only deliberate attacks. For a financial firm, the volume of sensitive data moving through email, portals and third-party systems makes some level of breach exposure inevitable, which is why the response process matters so much.

The headline obligation is time-bound. The UK GDPR requires organisations to report certain personal data breaches to the ICO within 72 hours of becoming aware of the breach, where feasible. The clock starts when you become aware, not when your investigation finishes. Notification is required where the breach is likely to result in a risk to individuals' rights and freedoms; if you can demonstrate it is unlikely to result in a risk, you need not notify the ICO, but you must still record it internally. Where the breach is likely to result in a high risk to individuals, you must also inform the affected individuals without undue delay.

The ICO recognises that you may not have every detail within 72 hours. Article 33(4) allows you to provide information in phases, provided there is no undue further delay, so the priority is to notify on time and follow up as the picture becomes clearer rather than to stay silent while you investigate. When you do report, the ICO expects you to describe the nature of the breach, including where possible the categories and approximate number of individuals and records concerned, the name and contact details of your data protection officer or other contact point, the likely consequences, and the measures taken or proposed. The steps below give a practical sequence for the first hours after discovery.

1
Contain and assess
Stop the breach spreading, secure affected systems and log the moment you became aware.
2
Risk-assess
Judge whether the breach is likely to result in a risk to individuals' rights and freedoms.
3
Notify the ICO
If notifiable, report within 72 hours of becoming aware, even without full details.
4
Tell affected people
Where there is high risk to individuals, inform them without undue delay in clear language.
5
Record everything
Document all breaches, notifiable or not, with your reasoning and the actions taken.
6
Review and remediate
Fix the root cause and update controls so the same breach cannot recur.

The data protection fee and accountability

Almost every financial firm must pay an annual data protection fee to the ICO. Under the Data Protection (Charges and Information) Regulations 2018, organisations that use personal information must pay the fee unless they are exempt. There are three tiers, and firms are expected to pay between 52 pounds and 3,763 pounds depending on size. Tier 1, for micro organisations with a maximum turnover of 632,000 pounds or no more than 10 staff, is 52 pounds. Tier 2, for organisations up to 36 million pounds turnover or no more than 250 staff, is 78 pounds. Tier 3, for larger organisations, is 3,763 pounds. Failing to pay is itself a breach the ICO can act on.

Beyond the fee, the accountability principle in Article 5(2) requires you to be responsible for, and able to demonstrate, compliance with the other principles. In practice this means keeping records of your processing, documenting your lawful bases, maintaining policies and, for higher-risk processing, carrying out a data protection impact assessment. A DPIA is required before you begin processing that is likely to result in a high risk to individuals, and much of what financial firms do, such as large-scale profiling or new uses of biometric data, can fall into that category.

Accountability is also where data protection meets financial-services governance most naturally. The same senior-management ownership, documented policies and periodic review that the FCA expects for its regime can carry your data protection obligations too, provided the privacy dimension is genuinely built in rather than bolted on. Bringing privacy controls into the same framework you already use for FCA compliance is exactly the kind of consolidation our control tooling is designed to support, so that one set of evidence answers to both regulators. If you would like to see how that works against your own processing, you can book a walkthrough.

Conclusion

UK GDPR compliance for a financial firm is not a separate project bolted onto FCA work; it is the same customer data viewed through a second lens. The six principles set the standard, a lawful basis under Article 6 licenses each activity, special category data demands an extra condition, and eight individual rights give customers a say in how their information is used. Layered on top are hard obligations that leave little room for interpretation: the 72-hour breach notification, the annual data protection fee, and the accountability duty to demonstrate, not merely assert, that you comply.

The firms that manage this well treat the FCA and the ICO as two audiences for one control framework. They document lawful bases alongside retention rules, they apply the erasure exemption deliberately where regulatory retention requires it, and they can produce a breach timeline and a DPIA on demand. Get that integration right and data protection stops being a compliance tax and becomes part of the evidence base that shows, to either regulator, that you handle customers and their information properly.

Frequently asked questions

Which laws govern data protection for UK financial firms?

The UK GDPR sets out the core rules for processing personal data, and the Data Protection Act 2018 supplements it, adding detail, exemptions and the powers of the Information Commissioner. The ICO's guidance states the two are read alongside each other. Both apply in addition to, not instead of, FCA requirements.

What lawful basis should a financial firm use?

It depends on the activity. Contract covers processing needed to deliver a product the customer asked for, legal obligation covers activities you must carry out to comply with the law such as anti-money-laundering due diligence, and legitimate interests supports necessary processing like fraud prevention. You must identify at least one Article 6 basis before you process any personal data.

How quickly must a personal data breach be reported to the ICO?

The UK GDPR requires notifiable breaches to be reported to the ICO within 72 hours of becoming aware of the breach, where feasible. Notification is required where the breach is likely to result in a risk to individuals' rights and freedoms. Article 33(4) lets you provide information in phases if you do not have every detail in time, so long as there is no undue further delay.

Can a customer force us to delete records we must keep for the FCA?

No. The right to erasure is not absolute. The ICO confirms that a firm can refuse to erase data where it is legally obliged to keep it, for example to comply with financial or other regulations. You should apply the exemption deliberately, record why it applies, and erase anything that genuinely falls outside your retention obligations.

How much is the ICO data protection fee?

Under the Data Protection (Charges and Information) Regulations 2018, most organisations that use personal information must pay an annual fee. There are three tiers ranging from 52 pounds to 3,763 pounds: 52 pounds for micro organisations, 78 pounds for small and medium organisations, and 3,763 pounds for large organisations, unless an exemption applies.

When does a financial firm need a data protection impact assessment?

A DPIA is required before you begin processing that is likely to result in a high risk to individuals. For financial firms this can include large-scale profiling, new uses of biometric data in onboarding, or extensive monitoring. It forms part of the accountability duty under Article 5(2) to demonstrate compliance with the data protection principles.

Ready to move money with confidence?

Nasara Control helps UK firms send and control payments with lower fees, better rates and full visibility.

Talk to an expert
Secure by designBank-grade security and encryption
Built for UK firmsMade for FCA-regulated businesses
Data protectedYour data stays private and controlled
Global reachCross-border payments worldwide