Firms warned over misuse of GDPR in Consumer Duty compliance

Avoiding data collection could lead to severe penalties, MorganAsh cautions

Firms warned over misuse of GDPR in Consumer Duty compliance

Firms falsely citing GDPR as a reason for non-compliance with the Financial Conduct Authority’s (FCA) Consumer Duty risk severe regulatory action, support services provider MorganAsh has warned.

The customer vulnerability specialist has observed some businesses avoiding the collection and storage of customer vulnerability data, claiming a conflict with GDPR regulations. These firms reportedly believe that potential penalties from the FCA would be less severe than sanctions imposed by the Information Commissioner’s Office (ICO).

Andrew Gething (pictured), managing director of MorganAsh, said this approach exposes firms to significant risks, particularly as the FCA has prioritised improving outcomes for vulnerable customers.

In its document, “Our Consumer Duty focus areas,” released on December 9, the FCA reiterated its focus on customer vulnerability.

The ICO and FCA previously addressed this issue in their 2015 Occasional Paper 8 consultation, clarifying that GDPR and Consumer Duty can coexist. More recently, the ICO and FCA issued a joint statement affirming that Consumer Duty does not require firms to act in a way that breaches data protection laws.

Under Consumer Duty, firms must monitor consumer vulnerability over a product’s lifetime, using the data to evaluate outcomes and address potential harms. GDPR, meanwhile, requires firms to handle data accurately, securely, and in line with consumer rights, including deletion requests.

The FCA continues its review of firms’ approaches to customer vulnerability, with findings expected in early 2025. Recent multi-million-pound fines imposed on VW Financial Services and TSB underscore the regulator’s willingness to act against vulnerability failings. Additionally, the FCA’s recent review of Consumer Duty board reports highlighted insufficient quality data and a lack of focus on vulnerable customers.

“We are seeing a worrying trend where some firms use GDPR as a scapegoat for not complying with Consumer Duty,” Gething said. “While firms are right to consider data protection laws, the response should not be to forgo such an important requirement of Consumer Duty. This is especially true as the regulator continues to prioritise customer vulnerability and take significant action where it finds serious failings.

“As the ICO has reaffirmed recently – and current vulnerability tech continues to demonstrate – a complementary approach is absolutely possible. Rather than burying their heads in the sand or choosing one regulation over the other, firms of all sizes must act to ensure their customer vulnerability processes are compliant.

“Whether it’s Consumer Duty or GDPR, good quality data is fundamental to good governance, and technology plays an important role in addressing any supposed conflict while achieving compliance efficiently.”

Any thoughts on this story? Share them with us by leaving a comment in the discussion box at the bottom of the page.