Consumer Duty and Data Protection: 3 principles for balancing vulnerability with your customer’s privacy

A key requirement for firms who are on their Consumer Duty implementation journey is being able to effectively identify consumers who are or could be vulnerable and understanding how the firm can tak


Gabriele is a regulatory and banking change professional, with experience supporting clients in multiple sectors including retail and private banking.

Gabriele Trevisan

A key requirement for firms who are on their Consumer Duty implementation journey is being able to effectively identify consumers who are or could be vulnerable and understanding how the firm can take appropriate steps to support them.

Whilst there are multiple considerations that need to be made to solve this challenge, one of the key steps will involve collecting and analysing targeted customer data to allow firms to understand whether a customer could benefit from any additional support to achieving better outcomes.

A firm should put together a list of criteria, as it relates to their customer base and business model, that can point to vulnerability. However, more often than not the data required to test against vulnerability criteria will be classified as personal or sensitive data. Personal sensitive data includes customers’ health, family, behaviours, income, and more, and certain regulations exist to dictate how this sensitive data can be collected, handled, and stored.

The data protection aspect of Consumer Duty is one that should be considered thoroughly as keeping customers’ sensitive data safe is almost an unsaid rule to achieving good outcomes. So how can firms ensure they fulfill their duty to deliver good outcomes to vulnerable customers, whilst remaining compliant with data privacy and protection rules like GDPR?

Delta Capita believes there are three key principles to keep in mind

The first thing to consider is the mechanics of collecting personal data and personal sensitive data. Data protection rules normally mandate businesses to obtain permission from their customers before they can collect this type of information. Up until now, firms would only have collected non-sensitive data needed to allow a customer to commence doing business with them i.e., open an account, take out a loan, etc. They will now need permission to collect increasingly sensitive information if they are to accurately assess customer vulnerability. As a result, firms will likely need to review their privacy policy, and terms and conditions to incorporate this requirement for new accounts. Existing customers will need to be informed of the policy change and should be allowed to review what new types of data are being collected and the nature of the processing that will occur. Also, where possible firms should rely on customers to provide sensitive information voluntarily and with full knowledge of why this information is being collected and how it may be potentially used.

Once data is collected it needs to be stored and accessed responsibly for further analysis. This is where the greatest potential for client harm or unfavourable outcomes arises. The data firms collect needs to be made available to staff for the identification of vulnerability. Given the sensitivity of this data, businesses will need to make sure that this data is stored securely and that there are controls in place to guarantee that only necessary staff can access and use it.

Additionally, data protection rules usually require personal data to be processed only for specified, explicit, and legitimate purposes and firms need to ensure that the data they use is limited to only the information required to fulfill a legitimate purpose. As a result, firms will need to ensure that the data they collect and the process is only used for the purpose of offering an enhanced level of support to customers who need it most, rather than for other reasons (e.g. for marketing). Firms should also take care to only collect the information required to verify whether the customer is vulnerable. Training customer-facing staff on the types of information that they are allowed to collect is likely to yield benefits in this regard.

These are just some of the considerations, but more will come out as firms continue their implementation of Consumer Duty. However, for the time being, the challenge for businesses is to make sure that the subject of data protection is brought up and taken into account in all forums where it may be pertinent.

How Delta Capita can help

Delta Capita’s UK Consumer Duty team comprises senior industry practitioners and former C-suite banking executives. We support organisations in delivering the changes required to deal with complex challenges, such as the data protection aspect of Consumer Duty.

Whether you need help to assess your Consumer Duty readiness, benchmark against industry best-practice or accelerate delivery across various workstreams, our team can help you as we are helping other organisations with similar challenges.

To find out more about how we can support you, contact us and speak directly to one of our experts.

This article was co-authored by Nick Wilcock, Gracie Willacy, Karan Kapoor, Neil Jones, and Nabeelah Begum.