The Chartered Insurance Institute has published new guidance to help insurance and personal finance firms navigate the intersection of customer vulnerability and UK data protection law, addressing one of the most persistent compliance hesitations in the sector.
The Data Privacy for Customers in Vulnerable Circumstances guide sets out in practical terms how vulnerability-related customer data can be collected, stored and used in compliance with UK GDPR and the FCA's Consumer Duty. It was developed with compliance officers, data protection specialists and operations managers as its primary audience.
The guidance tackles a problem the CII says has long held firms back from acting on what they already know about their customers. Many organisations have been reluctant to process vulnerability-related data out of a perceived risk of breaching data protection law, even where doing so would improve outcomes for customers in difficult circumstances.
A joint statement published by the FCA and the Information Commissioner's Office in March 2026 was explicit on this point -- UK data protection laws, including the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003, do not stop firms from delivering good consumer outcomes under the Consumer Duty. Firms must, however, ensure they comply with data protection requirements when doing so. The new CII guide builds directly on that joint communication, translating its principles into sector-specific operational guidance.
FCA research has consistently found that around half of UK adults display one or more characteristics of vulnerability at any given time, with the 2024 Financial Lives Survey recording that figure at 52%. That scale means vulnerability frameworks cannot function as exception-handling processes. They need to be embedded in standard product design, communications and customer service operations.
The guide identified three distinct purposes for processing vulnerability-related data. The first is to provide appropriate support and prevent harm. The second is to meet reporting requirements. The third is to drive product and service improvements. All three are directly relevant to firms' obligations under the Consumer Duty, which requires them to demonstrate good outcomes for all retail customers, including those in vulnerable circumstances.
The FCA has stated that embedding the Consumer Duty well across sectors is critical, and that it is relying on the Duty as much as possible rather than creating new prescriptive rules. Firms that cannot demonstrate adequate vulnerability data management face an increasing risk of supervisory scrutiny.
The guidance was launched at an event in London attended by press, stakeholders and sector leaders, including representatives from the FCA and the ICO. The panel featured Laura Leng, lead associate of consumer policy at the FCA; Dominique Azid, principal policy adviser at the ICO; Johnny Timpson OBE, chairman at MorganAsh; Robert Bell, CEO of RB Compliance Consultancy and co-author of the guide; and Adam Harper, executive director of strategy, advocacy and professional standards at the CII Group.
Robert Bell, co-author of the guide and director at RB Compliance Consultancy, said: "We live in a world where health and support needs are increasingly openly discussed, as reflected in expanding regulatory expectations, meaning firms have to be laser focused on supporting customers who find themselves in vulnerable circumstances. It is also important to use this data to amend the product design as part of the expectations of the Consumer Duty. However, none of this is possible without data and this is where many organisations believe they run into a barrier – UK GDPR. The CII identified this problem and the need to form a clear set of standards to guide firms through recording vulnerability data whilst maintaining compliance with UK GDPR."
The CII has separately outlined a vision for transforming how vulnerability data is shared across the insurance and personal finance distribution chain, calling for a shift from compliance-focused approaches to outcome-driven data sharing and the development of common standards across the sector.
A recent CII roundtable also explored the role of AI in identifying and supporting customers in vulnerable circumstances, with the FCA reaffirming its principles-based, technology-positive approach and stating that existing regulatory frameworks, including the Consumer Duty and vulnerability guidance, are sufficient to manage AI-related risks.
For a sector that has long treated data protection as a reason not to act on vulnerability, the CII's guidance marks a significant shift in expectation: firms can no longer credibly cite GDPR as a barrier to doing right by their most at-risk customers.
