Important Note

This article provides a general overview of GDPR considerations related to lead generation. It is not legal advice. GDPR is a complex regulation, and its application depends on your specific circumstances. If you need specific guidance on GDPR compliance for your business, consult a data protection specialist or legal adviser.

GDPR Basics for Lead Generation

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 govern how personal data is collected, processed, stored, and shared. Lead generation involves all of these activities — collecting consumer details through forms, processing that data to create leads, storing it in databases, and sharing it with brokers and advisers.

The key GDPR principles that apply to lead generation are:

  • Lawfulness, fairness, and transparency: Data must be collected and used lawfully, fairly, and in a way that the consumer would expect
  • Purpose limitation: Data collected for lead generation should only be used for that stated purpose
  • Data minimisation: Only collect the data that's necessary for the stated purpose
  • Accuracy: Personal data should be accurate and kept up to date
  • Storage limitation: Data should not be kept longer than necessary
  • Integrity and confidentiality: Data must be stored securely and protected against unauthorised access

Consent: The Foundation of Compliant Lead Generation

For most lead generation in financial services, consent is the lawful basis for processing personal data. This means the consumer must actively agree to their data being used for a specific purpose before the data is processed.

What Valid Consent Looks Like

Under GDPR, consent must be:

  • Freely given: The consumer must have a genuine choice. Consent cannot be a condition of accessing content or services unrelated to the data processing.
  • Specific: The consent must clearly state what the data will be used for. Generic statements like 'we may share your data with third parties' are not specific enough. The consumer should know they'll be contacted by a financial adviser about the specific product they enquired about.
  • Informed: The consumer must understand who will contact them, for what purpose, and how their data will be used. This is typically achieved through clear consent language and a link to a privacy policy.
  • Unambiguous: Consent must involve a clear affirmative action. Pre-ticked boxes do not constitute valid consent under GDPR.

Good Consent Language Example

A compliant consent statement on a lead form might read:

'By submitting this form, you agree to be contacted by a qualified mortgage adviser who will call you to discuss your mortgage options. Your details will be shared with one adviser only. You can withdraw your consent at any time by contacting us. See our privacy policy for full details on how we handle your data.'

This statement is specific (mortgage adviser, discussing mortgage options), clear about what will happen (one adviser will call), and provides information about data rights and privacy.

Poor Consent Language Example

'By submitting this form, you consent to being contacted by our partners.'

This is too vague — it doesn't specify who will contact them, for what purpose, or how many parties will receive their data.

Data Processing Agreements

When a lead provider shares consumer data with you, both parties have data protection responsibilities. Under GDPR, the relationship between the lead provider and the broker typically operates on one of two bases:

Controller to controller: Both the lead provider and the broker are independent data controllers. The lead provider collects the data with consent and shares it with the broker, who then processes it independently for the purpose of providing financial advice. This is the most common arrangement for lead generation.

Controller to processor: Less common in lead generation, but some arrangements may involve the broker acting as a processor on behalf of the lead provider, or vice versa.

Regardless of the structure, there should be a written agreement between you and your lead provider that covers:

  • What data is being shared
  • The lawful basis for sharing it
  • How long each party can retain the data
  • Security measures for data in transit and at rest
  • Procedures for handling data subject requests (access, deletion, etc.)
  • What happens to the data if the arrangement ends

Privacy Notices

Both the lead provider and the broker should have privacy notices that explain how personal data is collected and used. The lead provider's privacy notice should be accessible from the lead form and should explain:

  • What data is collected
  • Why it's collected (to connect the consumer with a financial adviser)
  • Who the data will be shared with
  • How long the data will be retained
  • The consumer's rights (access, deletion, objection, etc.)
  • How to contact the organisation about data matters

Your own privacy notice should cover how you handle data received from lead providers, including how long you retain it and what you use it for beyond the initial enquiry (for example, if you add them to a marketing list, which would require separate consent).

Data Subject Rights

Under GDPR, consumers have several rights regarding their personal data. When buying leads, you need to be prepared to handle these requests:

Right of access: A consumer can request a copy of all personal data you hold about them. You must respond within one month.

Right to erasure: A consumer can request that you delete their personal data. You must comply unless you have a legitimate reason to retain it (such as a legal or regulatory obligation).

Right to object: A consumer can object to their data being used for direct marketing. If they object, you must stop using their data for that purpose.

Right to withdraw consent: If consent is the basis for your data processing, the consumer can withdraw that consent at any time. This doesn't affect the lawfulness of processing before withdrawal, but you must stop processing their data going forward.

Practical GDPR Checklist for Lead Buyers

Use this checklist to evaluate whether your lead generation arrangements are GDPR-compliant:

  • Does your lead provider collect explicit, informed consent from consumers?
  • Can they provide consent records (what the consumer agreed to, when, and how) for any individual lead?
  • Is the consent specific to being contacted by a financial adviser about the product they enquired about?
  • Is there a clear, accessible privacy notice on the lead form?
  • Do you have a data processing agreement with your lead provider?
  • Is your lead provider registered with the ICO (Information Commissioner's Office)?
  • Are you registered with the ICO?
  • Do you have a process for handling data subject access requests?
  • Do you have a process for handling erasure requests?
  • Do you know how long you retain lead data, and is that period justified?
  • Is lead data transmitted securely (encrypted) between the provider and your systems?
  • Is lead data stored securely in your CRM or database?

What We Do at Lurvo Digital

Transparency about our own practices: every lead we generate includes explicit, specific consent from the consumer to be contacted by a financial adviser about the product they enquired about. Our forms include clear consent language and a link to our privacy policy. We maintain complete consent records for every lead and can provide these on request.

We're registered with the ICO, and we have data processing agreements in place with all of our broker clients. Lead data is transmitted securely via encrypted connections, and we have clear data retention policies.

If you have questions about our GDPR compliance or want to see our consent language, privacy policy, or data processing agreement template, get in touch and we'll share everything openly.

For related information on regulatory compliance, see our FCA compliance and lead generation guide.