Data Protection for Finance

The GDPR adds additional complexity to the already heavily regulated Financial Services and Insurance sector.  Many of the GDPR’s requirements are complementary to existing legislation but special attention must be made to personal data protection.

Finance and insurance companies often process large amounts of personal data, often of a sensitive nature.  Particular attention must be paid to ensure it is only used for the intended purpose, that it is only shared in a controlled way and that it is retained and disposed of appropriately and in a timely fashion.

The use of data for profiling and automated decision making is also strictly legislated under the GDPR.

This page explains what data protection legislation means for finance & insurance organisations and the key areas they need to consider when managing personal data.

Click one of the options below to speak to us


Email Call


Like all other organisations, finance & insurance organisations must:

Be transparent in the way they process personal data and accountable for doing so
Be able to detect, manage, report and respond to data breaches including, if necessary, liaising with the Information Commissioner’s Office (ICO)
Understand the data they have, where it is stored and who has access to it
Implement robust processes and procedures to protect personal data
Allow users, data subjects and staff to:

  • Access the data stored on them
  • Ensure the data is correct and modify it as necessary
  • Have it deleted (unless needed for legitimate reasons)

Appoint a designated data protection officer if they:

  • Are a public body
  • Process data on a large scale
  • Use the data for profiling or automated decision making



Finance and insurance organisations must protect personal data in a wide range of their operations.  Some major considerations include:

Complementary Regulations

  • Financial Conduct Authority (FCA) regulations
  • PCI Credit card regulations
  • Banking regulations
  • Anti-money laundering regulations
  • Understanding audit and inspection requirements

Handling sensitive and special category data

  • PCI Credit card regulations
  • Banking regulations
  • Anti-money laundering

Managing sensitive and special category

  • Data Protection Impact Assessments
  • Personal data, financial data, medical data, records of criminal convictions especially for Insurance

Multiple and legacy systems

  • Duplicated data held on multiple systems and data minimisation
  • Data retention and disposal
  • Mechanisms for handling DSARs


  • Email systems
  • Staff payroll, pension and HR records
  • Visitors’ book, access and CCTV

Data Security

  • Maintaining network and server security
  • Data encryption
  • Cyber security

Policies and agreements

  • Privacy, retention, cookie and data protection policies
  • Staff handbooks

Sharing data with others

  • Transfers with 3rd parties
  • Data transfers outside the EU
  • Data processing and data sharing agreements

Handling large quantities of data

  • Appointing a designated DPO
  • Profiling and automated decision making

Enquire Today

Fill in your details below and we’ll get back to you as soon as possible

Alternatively click one of the options below to speak to us


Email Call

Finance Client Testimonials


Chloe Steele
Operations Director

360 Dotnet

“Our DPO and the overall service has been a brilliant addition to our business. Their expertise has been invaluable in ensuring that we are up to speed with our general data protection obligations as well as those specific to the financial services sector. Having grown our customer base rapidly, our DPO was also able to assist us in ensuring that our internal systems developed to reflect this growth. The work our DPO has done for us means that we are confident in our internal as well as external data handling practices.”


James Yates
Chief Risk Officer

Shard Capital

“We are really pleased with our DPO from The DPO Centre, who understood our needs and was able to translate them into a workable plan that has greatly assisted our business’s compliance journey. Shard Capital is growing at a remarkable speed, requiring us to constantly develop new ways of working whilst still maintaining our commitment to data protection. The DPO Centre’s advice and support has assisted us in ensuring that our compliance level has remained high despite the challenges that rapid growth presents.”