Financial advisers can use AI with client data, but the UK GDPR still applies in full. The core obligations are unchanged: you need a lawful basis for processing, extra protection for special category data, a Data Protection Impact Assessment (DPIA) for high-risk processing, safeguards around solely automated decisions, and a written contract with any AI provider acting as your processor. AI does not create a new rulebook, it raises the stakes on the existing one, because more data flows through systems you don't fully control.
Key takeaways
- The UK GDPR and Data Protection Act 2018 govern all client-data processing, including anything run through AI.
- You must identify a lawful basis (Article 6), for advice, this is usually contract or legitimate interests, and for marketing often consent.
- Health, and sometimes financial-vulnerability, information can be special category data (Article 9) needing an additional condition and stronger safeguards.
- High-risk AI processing typically requires a DPIA before you start.
- Solely automated decisions with legal or similarly significant effects are restricted (Article 22), keep a human meaningfully in the loop.
- Any AI vendor handling client data is likely a processor, requiring an Article 28 contract and confirmation that your data won't be used to train the vendor's models without a lawful basis.
Does GDPR still apply when I use AI?
Yes, completely. There is no "AI exemption." If an AI tool ingests client names, financial circumstances, risk profiles, health details or fact-find data, that is personal data processing and every GDPR principle applies: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. The difference with AI is scale and opacity, which makes the accountability principle, being able to demonstrate compliance, much harder to satisfy casually.
What's your lawful basis?
Every processing activity needs a lawful basis under Article 6. For advice firms:
- Performance of a contract, processing needed to provide the advice the client has engaged you for.
- Legitimate interests, for example, certain analytics or service improvements, subject to a balancing test.
- Legal obligation, record-keeping and regulatory reporting.
- Consent, typically for marketing, and it must be freely given, specific, informed and easily withdrawn.
Feeding client data into an AI tool must fit within a basis you can point to. "It made the report faster" is a benefit, not a lawful basis.
Special category data, the trap for advisers
Advice work often touches health information (ill health affecting retirement, protection needs, vulnerability), which is special category data under Article 9. Processing it needs both an Article 6 basis and a specific Article 9 condition, plus appropriate policy documents and safeguards. Running special category data through a third-party AI tool without confirming the conditions and protections are in place is a common and serious gap.
When do you need a DPIA?
A Data Protection Impact Assessment is required for processing likely to result in a high risk to individuals, which frequently includes new AI systems processing sensitive financial data at scale, profiling, or large-scale monitoring. A DPIA is not bureaucracy for its own sake: it forces you to map what data flows where, identify risks, and design mitigations before go-live. For any material AI deployment touching client data, assume a DPIA is needed and document the outcome.
Automated decisions and keeping a human in the loop
Article 22 restricts decisions based solely on automated processing that produce legal or similarly significant effects on someone, which could include an AI unilaterally determining a client's risk category or product suitability. The practical answer for advice firms is straightforward: keep a qualified human meaningfully in the loop. AI can draft, analyse and suggest; the adviser reviews, exercises judgement, and owns the decision. That preserves both GDPR compliance and the accountability the FCA expects.
Your AI vendor is (probably) a processor
If an AI provider processes client data on your instructions, it is your processor, and you need an Article 28 contract covering security, sub-processors, breach notification, data return or deletion, and processing only on documented instructions. Two questions to insist on:
- Is our client data used to train your models? If so, on what lawful basis, and can we switch it off?
- Where is the data hosted and processed, and are international transfers lawfully protected?
A vendor that cannot answer these clearly is a compliance risk regardless of how good the product is.
A practical checklist
- Map every AI tool that touches client data and the categories of data involved.
- Confirm a lawful basis (and Article 9 condition where relevant) for each use.
- Run a DPIA for high-risk processing and keep it current.
- Ensure a qualified human reviews and owns any consequential decision.
- Put an Article 28 processor contract in place and confirm the no-training / hosting position.
- Update privacy notices so clients understand AI is used and how.
- Set and enforce data retention and deletion.
Frequently asked questions
Can financial advisers use AI with client data?
Yes, provided they comply with the UK GDPR, including having a lawful basis, protecting special category data, running a DPIA for high-risk uses, keeping a human in the loop for significant decisions, and having a processor contract with the AI vendor.
Do I need a DPIA to use AI in my advice firm?
If the AI processing is likely to be high risk, which is common for new systems handling sensitive financial data at scale or performing profiling, then yes, a DPIA is required before you begin.
Is client financial vulnerability special category data?
Health information is special category data. Vulnerability driven by health, and certain related details, can fall into this category and require the additional Article 9 protections.
Will my client data be used to train an AI model?
Only if you have a lawful basis and the vendor's contract permits it. You should confirm the vendor's position explicitly and be able to prevent training on your data.
Does using AI mean decisions are "automated" under GDPR?
Only if a decision is made solely by automated means with a significant effect. Keeping a qualified adviser meaningfully involved in the decision keeps you outside the Article 22 restriction.