The GDPR adds additional complexity to the already heavily regulated Financial Services and Insurance sector.  Many of the GDPR’s requirements are complementary to existing legislation but special attention must be made to personal data protection.

Finance and insurance companies often process large amounts of personal data, often of a sensitive nature.  Particular attention must be paid to ensure it is only used for the intended purpose, that it is only shared in a controlled way and that it is retained and disposed of appropriately and in a timely fashion.

The use of data for profiling and automated decision making is also strictly legislated under the GDPR.

This page explains what data protection legislation means for finance & insurance organisations and the key areas they need to consider when managing personal data.


Like all other organisations, finance & insurance organisations must:

Be transparent in the way they process personal data and accountable for doing so
Be able to detect, manage, report and respond to data breaches including, if necessary, liaising with the Information Commissioner’s Office (ICO)
Understand the data they have, where it is stored and who has access to it
Implement robust processes and procedures to protect personal data
Allow users, data subjects and staff to:

  • Access the data stored on them
  • Ensure the data is correct and modify it as necessary
  • Have it deleted (unless needed for legitimate reasons)

Appoint a designated data protection officer if they:

  • Are a public body
  • Process data on a large scale
  • Use the data for profiling or automated decision making



Finance and insurance organisations must protect personal data in a wide range of their operations.  Some major considerations include:

Complementary Regulations

  • Financial Conduct Authority (FCA) regulations
  • PCI Credit card regulations
  • Banking regulations
  • Anti-money laundering regulations
  • Understanding audit and inspection requirements

Handling sensitive and special category data

  • PCI Credit card regulations
  • Banking regulations
  • Anti-money laundering

Managing sensitive and special category

  • Data Protection Impact Assessments
  • Personal data, financial data, medical data, records of criminal convictions especially for Insurance

Multiple and legacy systems

  • Duplicated data held on multiple systems and data minimisation
  • Data retention and disposal
  • Mechanisms for handling DSARs


  • Email systems
  • Staff payroll, pension and HR records
  • Visitors’ book, access and CCTV

Data Security

  • Maintaining network and server security
  • Data encryption
  • Cyber security

Policies and agreements

  • Privacy, retention, cookie and data protection policies
  • Staff handbooks

Sharing data with others

  • Transfers with 3rd parties
  • Data transfers outside the EU
  • Data processing and data sharing agreements

Handling large quantities of data

  • Appointing a designated DPO
  • Profiling and automated decision making

Enquire Today

Fill in your details below and we’ll get back to you as soon as possible

Alternatively click one of the options below to speak to us


Email Call

Sign up todayThe DPIA is a bitesize assessment of the impact of the most significant, interesting and important-to-know data protection issues. It’s not the full story, just a brisk, 3-minute resumé, collated and condensed especially for busy privacy professionals to ensure you’re aware of what’s happening in our fascinating, dynamic and engaging industry.