Skip to main content

Vulnerability and GDPR

Part of the Walker Morris Risk Series LogoWalker Morris partner Louise Power explains how financial services firms can comply with their General Data Protection Regulation (GDPR) obligations while also meeting the needs of vulnerable customers.

Complying with competing responsibilities

In today’s complex regulatory environment, financial services firms face a host of rules, regulations and recommendations all of which are concerned with different aspects of the customer journey and with ensuring fair customer outcomes. There is no doubt that firms are doing an admirable job, and that the fundamental principle of treating customers fairly (TCF) is embedded within the industry and at the heart of firms’ policies, procedures and decision-making.  An area of risk, however, is where different responsibilities overlap.  In those circumstances, how can firms ensure that all of their responsibilities – even those which may seemingly compete – are complied with?

A key example is where firms need to share information about potential vulnerability so as to adhere to TCF on the one hand, but they need to protect customers’ data in accordance with strict GDPR obligations on the other.

Sensitive Personal Data and GDPR

As firms will know, GDPR imposes different data protection requirements depending on the data in question. Where data is sensitive personal data (or ‘special category data’ under GDPR) (SCPD), enhanced requirements apply [1].  The first step to ensuring compliance is for firms to understand exactly what is SCPD…

…SCPD is information relating to an identifiable individual’s:

  • race
  • ethnic origin
  • politics
  • religion
  • trade union membership
  • genetics
  • biometrics (where used for ID purposes)
  • health
  • sex life; and
  • sexual orientation.

Information pertaining to vulnerability is most likely to be caught by GDPR SCPD rules if it falls within the ‘health’ category, whereas data relating to financial vulnerability (such as low income, income shock, non-health related change in circumstances, and so on) will not necessarily be SCPD.

In order to process personal data, GDPR requires that firms must first have a ‘lawful basis’ [2]. For a financial services firm, this requirement is satisfied because the processing of personal data is necessary for its legitimate interests in carrying out the ordinary course of business and there is no good reason to protect an individual’s data which overrides those legitimate interests.

When processing SCPD, in addition to the ‘lawful basis’, a ‘specific condition’ under Article 9 of GDPR must be satisfied. Of the ten available conditions, those which are most likely to apply in this context are:

  • a) The data subject has given explicit consent to the processing of the data for one or more specific purposes; and
  • f) Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity [3].

Impact and advice

Where firms process SCPD, therefore – including where firms provide third parties such as law firms or other suppliers with SCPD, they should confirm, ideally in writing and within contractual terms, that the customer has provided its explicit consent for its data to be so processed – and in particular for it to be provided to the third parties in question.

Firms should therefore ensure that their processes/procedures and contractual arrangements with customers and suppliers specifically address consent for processing SCPD. Without such confirmation, suppliers cannot satisfy condition a) and cannot lawfully process SCPD.  Consequently in those circumstances neither can suppliers (and, in turn, the firms themselves) satisfy TCF requirements for vulnerable customers.


[1] For further information, see the Information Commissioner’s Office (ICO) guidance
[2] See our more detailed briefing for further information and advice
[3] Note that condition f) may not be appropriate if firms are not proposing to litigate.

Binary Code with a lock outline symbolising data protection