FCA and ICO set expectations on handling vulnerability data under the Consumer Duty

The FCA and ICO have issued a joint statement setting out how firms should approach the use of “vulnerability related data” in line with both the Consumer Duty and UK data protection law. The statement is aimed at helping firms deliver good outcomes for customers in vulnerable circumstances while maintaining lawful, fair and responsible processing of personal data.

The regulators emphasise that data protection legislation does not prevent firms from identifying and supporting vulnerable customers. However, firms must ensure their use of personal data complies with UK GDPR, the Data Protection Act 2018 and PECR, particularly where processing sensitive or special category data.

The guidance focuses on three key areas:

• Supporting customers in vulnerable circumstances through appropriate data use

• Sharing vulnerability data across distribution chains where necessary

• Monitoring outcomes to ensure fair treatment and identify harm.

The FCA expects firms to understand vulnerability within their customer base, identify relevant indicators and design products, communications and support processes accordingly.

Key Takeaways

• Data protection is not a barrier - the FCA and ICO make clear that UK GDPR does not prevent firms from using or sharing data where it is necessary to support vulnerable customers, provided compliance requirements are met

• Accountability and principles are central - firms must demonstrate compliance with core data protection principles including lawfulness, transparency, data minimisation, accuracy and security when handling vulnerability data

• Special category data triggers higher thresholds - where vulnerability data includes sensitive information (e.g. health data), firms must identify both a lawful basis and a separate Article 9 condition (such as explicit consent or substantial public interest)

• Data sharing must be controlled - sharing vulnerability data across distribution chains can be necessary but must be proportionate, transparent and supported by appropriate safeguards (including data sharing agreements and, where relevant, DPIAs)

• Automated decision-making carries risk - additional UK GDPR requirements apply where firms use profiling or automated decisions affecting vulnerable customers, including rights to human intervention and clear explanations

• Ongoing monitoring is expected - firms must assess outcomes for vulnerable customers and take action where poorer outcomes are identified, using available data appropriately.

Our Views

This joint statement is a clear attempt by the FCA and ICO to remove perceived tension between regulatory regimes and reinforce that supporting vulnerable customers and complying with data protection law should operate hand in hand.

The practical impact for firms is significant. In particular:

• Greater confidence to use data - firms should feel more comfortable using data to identify and support vulnerable customers, but only where underpinned by robust governance and documented decision-making

• Increased scrutiny on data practices - regulators are signalling closer attention to how firms justify their lawful basis, handle special category data and evidence compliance with the UK GDPR principles

• Distribution chain complexities - sharing vulnerability data between manufacturers and distributors will require careful structuring, particularly around roles (controller/processor), transparency and contractual protections

• DPIAs and risk assessments will be key - any use of profiling, large-scale sensitive data or data sharing initiatives is likely to require formal risk assessments and clear audit trails

• Consumer Duty drives data use - firms’ obligations to deliver good outcomes will increasingly require proactive data use, making alignment between legal, compliance and operational teams essential.

Overall, the message from regulators is clear: firms are expected to use data responsibly to support vulnerable customers, not avoid doing so due to data protection concerns. Those that can balance proactive customer support with strong data governance will be best placed to meet both Consumer Duty and UK GDPR expectations.