Guide

Lead Compliance & GDPR Guide

Buying leads involves handling personal data, which means GDPR applies. This guide explains your obligations in plain English, what your lead provider should be handling, and how to stay on the right side of the regulations without overcomplicating things.

GDPR and data protection compliance are topics that many brokers find confusing or overwhelming. The regulations can seem complex, and the consequences of getting it wrong — potential fines, reputational damage, and loss of client trust — are real. But the good news is that compliance when buying leads isn't as complicated as it first appears, provided you understand the basics and work with a reputable provider.

This guide covers the practical aspects of GDPR compliance for brokers and advisers who buy leads. It's written in plain English, not legal jargon, and focuses on what you actually need to do rather than the theoretical framework. That said, this is guidance, not legal advice — if you have specific concerns, consult a data protection specialist.

The UK GDPR (which applies post-Brexit via the UK Data Protection Act 2018) regulates how personal data is collected, stored, processed, and shared. When a consumer fills out a lead form providing their name, phone number, email, and details about their financial needs, that's personal data. And everyone involved in handling it — the provider who collects it and you who receives it — has obligations.

The key concepts you need to understand are:

Lawful basis for processing. You need a legal reason to hold and use someone's personal data. For purchased leads, this is typically consent (the consumer has agreed to be contacted) or legitimate interest (you have a legitimate business reason to contact them, and their rights don't override that interest). Most reputable lead providers rely on consent — the consumer explicitly agrees on the form to be contacted by a broker or adviser.

Data controller vs data processor. The lead provider is typically the data controller for the initial collection (they decide why and how the data is collected). When they share the data with you, you become a data controller for your use of it. This means you have your own obligations around how you store, use, and protect that data.

Purpose limitation. You can only use the data for the purpose it was collected for. If a consumer enquired about a mortgage, you can contact them about mortgage advice. Using their data to market unrelated products without separate consent may breach this principle.

Data minimisation. Only collect and retain the data you actually need. You don't need to keep detailed records about leads that never converted and that you won't be contacting again.

What Your Lead Provider Should Handle

A significant portion of the compliance burden falls on the lead provider, not you. Here's what a reputable provider should be doing:

Obtaining valid consent. The lead form should clearly inform the consumer that their data will be shared with a broker or adviser for the purpose of providing financial advice. This consent should be specific (not hidden in a wall of terms and conditions), informed (the consumer understands what they're agreeing to), and freely given (not a pre-ticked box or a condition of accessing unrelated content).

Privacy policy and fair processing notice. The provider's lead forms should link to a privacy policy that explains how data will be used, who it will be shared with, and how the consumer can exercise their rights (access, deletion, etc.).

PECR compliance. The Privacy and Electronic Communications Regulations (PECR) govern electronic marketing. If the provider is generating leads through email marketing, SMS, or automated calls, they need to comply with PECR consent requirements, which are often stricter than GDPR.

Data security. The provider should have appropriate security measures in place to protect the data they collect and transmit. This includes encryption, secure data transfer, access controls, and staff training.

Data processing agreement. You and your provider should have a data processing agreement (or data sharing agreement) that sets out the responsibilities of each party. Many providers include this in their terms of service.

Your Responsibilities as the Broker

Once you receive a lead, you have your own GDPR obligations. These are straightforward but important.

Fair processing

When you first contact a lead, be transparent about who you are, how you got their details, and what you'll do with their information. Something like: "You submitted an enquiry about mortgage advice through [website/form], and your details were passed to me so I could help. I'll use your information only to provide the advice you've requested."

This is good practice anyway — it builds trust and reduces the chance of the consumer feeling ambushed by an unexpected call.

Secure storage

Store lead data securely. This means:

Password-protected systems. Don't leave lead details on sticky notes, unlocked spreadsheets, or shared desktops. Use a CRM or secure system with access controls.
Encrypted devices. If you access lead data on a laptop, tablet, or phone, ensure the device is encrypted and password-protected.
Limited access. Only people who need access to lead data should have it. If you have admin staff or colleagues, don't give everyone access to everything.
Secure disposal. When you no longer need lead data (e.g., for leads that never converted and you won't contact again), delete it securely. Don't just leave old leads sitting in a spreadsheet forever.

Data retention

You should have a data retention policy — a clear rule about how long you keep personal data. For leads that convert into clients, you'll need to retain data in accordance with FCA record-keeping requirements (typically a minimum of 3 years after the end of the business relationship, longer for some products like pensions).

For leads that don't convert, you should retain data only as long as you have a reasonable business need for it. If you're still nurturing a lead (periodic follow-up calls or emails), that's a reasonable purpose. If a lead told you they're not interested six months ago and you have no plans to contact them again, there's no reason to keep their data.

A sensible approach: retain unconverted lead data for up to 12 months after the last contact attempt. After that, delete it unless there's a specific reason to keep it (e.g., they asked you to follow up in 6 months).

Subject access requests

Under GDPR, individuals have the right to request access to their personal data, ask for corrections, or request deletion. These are called Subject Access Requests (SARs). If a consumer contacts you asking what data you hold about them, you must respond within one month.

In practice, SARs from leads are rare. But you should know how to handle them and have a process in place. Most CRMs make it easy to export or delete a specific individual's data.

Right to object and opt out

Consumers have the right to object to you processing their data and to opt out of future contact. If someone says "don't call me again" or "delete my details," you must comply. Remove them from your CRM, delete their data, and ensure they're not contacted again.

This isn't just a legal requirement — it's good business practice. Continuing to call someone who's asked you to stop damages your reputation and wastes your time.

FCA Compliance Considerations

Beyond GDPR, financial services lead buying also intersects with FCA regulations. While these aren't strictly data protection rules, they're worth understanding.

Financial promotions. If a lead was generated through advertising, that advertising needs to comply with FCA rules on financial promotions. This is primarily the provider's responsibility, but if you discover that leads are being generated through misleading or non-compliant advertising, you have an ethical obligation to raise concerns.

Treating Customers Fairly (TCF). The way you follow up leads should align with TCF principles. This means being honest about your services, not making promises you can't keep, and respecting the consumer's wishes. Aggressive or misleading follow-up doesn't just damage your reputation — it can attract FCA scrutiny.

Record keeping. The FCA requires you to maintain records of your client interactions and advice. For leads that progress to the advice stage, ensure your CRM captures the relevant notes and documentation.

Practical Compliance Checklist

Here's a simple checklist to ensure you're meeting your obligations when buying and working leads:

Provider due diligence. Confirm that your provider obtains valid consent, has a privacy policy on their lead forms, and can demonstrate GDPR compliance. Ask to see their privacy policy and the consent language on their forms.
Data processing agreement. Ensure you have an agreement with your provider covering data sharing responsibilities. This is usually included in their terms of service.
Secure storage. Store leads in a password-protected CRM or system. Don't use unprotected spreadsheets or email for long-term storage.
Fair processing notice. When you first contact a lead, explain who you are and how you got their details. Be transparent.
Opt-out compliance. If someone asks you to stop contacting them, comply immediately. Remove them from your systems.
Retention policy. Have a clear policy for how long you keep unconverted lead data. Delete data you no longer need.
SAR process. Know how to respond if someone asks what data you hold about them. Practice exporting or deleting records from your CRM.
Staff training. If you have staff who handle lead data, ensure they understand basic GDPR principles and your internal data handling procedures.

Common Compliance Questions

Can I use lead data to market other products? Generally, only if the original consent covers it. If a consumer enquired about a mortgage, you can discuss mortgage advice. Cross-selling related products (like life insurance alongside a mortgage) is typically acceptable if it's relevant to the original enquiry. However, adding their details to a general marketing database for unrelated products without separate consent is problematic.

Can I share lead data with other advisers in my firm? Yes, provided it's for the purpose of providing the advice the consumer enquired about. Sharing data with third parties outside your firm without the consumer's consent is generally not acceptable.

What if a consumer denies making the enquiry? This happens occasionally. If someone says they didn't fill out a form, apologise, offer to delete their data, and move on. Don't argue or try to convince them. It's possible their details were submitted by someone else, or they simply don't remember.

Do I need to be registered with the ICO? If you're processing personal data (which you are, if you're buying leads), you need to register with the Information Commissioner's Office. This is a legal requirement for most UK businesses and currently costs £40-2,900 per year depending on your size and turnover. Most sole practitioners and small firms fall into the £40 tier.

For more on choosing a compliant lead provider, see our provider selection guide. And for setting up the systems you need to manage leads properly, read our CRM integration guide.

Frequently Asked Questions

Do I need a data processing agreement with my lead provider?

Yes. When personal data is shared between two parties, GDPR requires a data sharing or data processing agreement that sets out each party's responsibilities. Most reputable lead providers include this in their standard terms of service, but it's worth checking. The agreement should cover what data is shared, the purpose, security measures, and each party's obligations under GDPR.

How long can I keep lead data for unconverted leads?

There's no fixed rule, but the principle is that you should only keep data as long as you have a legitimate purpose for it. If you're still actively nurturing a lead (periodic follow-up), that's a legitimate purpose. If you've had no contact for months and have no plans to reach out again, delete the data. A reasonable retention period for unconverted leads is up to 12 months after the last contact attempt.

Can I add purchased leads to my email marketing list?

Only if the original consent explicitly covers email marketing. Most lead forms consent to being contacted about the specific enquiry, not to ongoing marketing communications. If you want to add leads to a marketing list, you should obtain separate consent — for example, by asking during your first conversation whether they'd like to receive market updates or newsletters from you. Sending unsolicited marketing emails without consent can breach both GDPR and PECR.

What happens if there's a data breach involving lead data?

Under GDPR, if there's a data breach that poses a risk to individuals' rights and freedoms, you must report it to the ICO within 72 hours. You must also notify the affected individuals if the breach is likely to result in a high risk to them. Practically, this means having security measures in place to prevent breaches (encrypted devices, secure CRM, access controls) and a plan for what to do if one occurs. Most small-scale lead data breaches (e.g., a lost phone) can be contained quickly if devices are properly secured.

Lead Compliance & GDPR Guide

What Your Lead Provider Should Handle

Your Responsibilities as the Broker

Fair processing

Secure storage

Data retention

Subject access requests

Right to object and opt out

FCA Compliance Considerations

Practical Compliance Checklist

Common Compliance Questions

Frequently Asked Questions

Want to Put This Into Practice?

Related Reading

Lead Compliance & GDPR Guide

GDPR Basics for Lead Buying

What Your Lead Provider Should Handle

Your Responsibilities as the Broker

Fair processing

Secure storage

Data retention

Subject access requests

Right to object and opt out

FCA Compliance Considerations

Practical Compliance Checklist

Common Compliance Questions

Frequently Asked Questions

Want to Put This Into Practice?

Related Reading

How It Works

Contact Us

About Us