Site icon FIN.

FCA and ICO publish joint statement on vulnerability data

Abstract image of data pathways

The FCA and ICO have published a joint statement on regulatory expectations regarding firms’ approaches to vulnerability data.

The FCA wants firms to understand the needs of vulnerable customers and take steps to deliver good outcomes for them, including by:

The UK GDPR and Data Protection Act do not prevent organisations from sharing or using personal information where it is appropriate and necessary to protect individuals or provide them with the support they need.

However, data processing used to identify consumer in vulnerable customers should follow certain key principles to ensure it is responsible, proportionate and centred on the individual’s rights:

Firms must also have a lawful basis for processing personal data. There are several lawful bases under the UK GDPR that may be relevant to firms. These include: consent; contract; legal obligation; vital interests; and legitimate interests.

The guidance also sets out how firms should treat special category data, that is particularly sensitive information such as health data, and how they should conduct data protection impact assessments.

Exit mobile version