management
Written by

Ben Glass
Product Marketing Manager
Sharing links



Last updated •
Summarize with AI
TL;DR: You do not always need explicit client consent to process data through AI tools. Under GDPR Article 6(1)(f), legitimate interests may often be a workable lawful basis for administrative AI processing, including drafting suitability reports and meeting notes, because it can avoid the conflict between consent withdrawal and FCA retention obligations. Your firm remains the Data Controller and bears full regulatory responsibility. AI must only generate drafts for professional review, never autonomous advice decisions. AdvisoryAI provides UK data residency and zero model training on client data. Atlas exposes its reasoning step by step via Adaptive Thinking so every query is auditable across sessions, Emma cites sources within generated reports, and Colin produces a timestamped pass/fail record for every compliance check.
Many UK advice firms are already using AI for meeting notes and suitability report drafting, yet hesitate to extend that use further because of a persistent belief that explicit client consent is required for every instance of AI processing. That belief is both understandable and, in most cases, incorrect. By understanding how ICO guidance on AI applies to daily advice workflows, from meeting transcription to suitability report drafting, firms can establish a lawful basis for AI processing while maintaining the human oversight that both GDPR and FCA Consumer Duty require.
Legal Disclaimer: This guide is for informational purposes and does not constitute legal advice. For advice specific to your firm's circumstances, consult a qualified data protection professional. References to GDPR Article 6 and ICO guidance on AI and data protection are included to ground the practical recommendations in authoritative sources.
Protecting Client Data in AI Workflows
Client files in a UK advice firm typically contain highly sensitive personal data: names, addresses, health conditions, National Insurance numbers, income, liabilities, and family circumstances. Any time this data flows into a third-party tool, GDPR applies and the firm is responsible for what happens next.
When AI Usage Triggers GDPR Rules
GDPR applies to any processing of personal data, and processing typically covers a wide scope: collecting, storing, analysing, generating, or transmitting data about an identifiable individual. Transcribing a client meeting recording, feeding a fact-find into a report-drafting tool, or querying a client database in natural language all trigger GDPR obligations, regardless of which tool handles the task.
The ICO is clear on this: before any personal data is processed, the organisation must identify a valid lawful basis and document it. That requirement applies equally to AI tools as to any other processing activity.
Lawful AI Data Use: ICO Guidance
The ICO requires firms to identify a lawful basis under GDPR Article 6, assess whether the processing constitutes high-risk activity that warrants a Data Protection Impact Assessment (DPIA), and document both decisions in their records of processing activities. For financial advice firms, the combination of sensitive financial data and new AI technology is likely to result in high risk to individuals, making a DPIA typically necessary rather than optional. However, you may be able to justify not carrying out a DPIA if you are confident that the processing is nevertheless unlikely to result in a high risk, but you should document your reasons.
Key AI Use Cases in Advisory Firms
Common AI use cases in UK advice firms include meeting transcription and note production, suitability report drafting, and compliance checking of advice files. Each use case triggers the same GDPR question: who processes the data, under what lawful basis, and where does it go? Understanding that sequence before deploying any platform is the foundation of a defensible AI compliance position. You can see how AdvisoryAI handles meeting transcription and how Emma generates a suitability report from a firm's own templates once that foundation is in place.
One important relationship to understand is territorial scope. The EU AI Act applies only where a firm places AI systems or their outputs on the EU market, so most UK-only advice firms fall outside its scope. Where it does apply, it sits alongside UK GDPR: the AI Act categorises AI systems by risk level, while GDPR focuses specifically on personal data protection. According to Kennedys' 2026 analysis, both frameworks apply alongside each other for firms operating in the EU market.
Meeting GDPR Requirements for AI Data Processing
Why Legitimate Interest Often Wins
The consent misconception causes real operational harm. If you rely on consent as your lawful basis for AI-assisted documentation, clients can withdraw that consent at any time, which under GDPR would typically trigger an obligation to erase the data. But FCA record-keeping rules under SYSC 9 and COBS require firms to retain advice records for five years minimum, and indefinitely for pension transfers, pension conversions, and opt-outs. Beginning with consent and later facing withdrawal can create a conflict with those mandatory retention periods.
Legitimate interests under GDPR Article 6(1)(f) avoids this conflict. The three-part test:
Purpose: is the firm pursuing a legitimate interest?
Necessity: is AI processing necessary for that purpose?
Balancing: do the firm's operational interests outweigh the client's privacy interests?
Your firm can document these in a way that accommodates its regulatory obligation to retain advice records. The balancing test is case-specific and your firm must complete it for its particular processing activities, but for routine administrative AI drafting, the firm's compliance obligation and operational need may provide a credible legitimate interest when your firm properly assesses and records it.
Table 1: Lawful Basis Selection for AI Use Cases
Lawful Basis | Typical AI Use Case | Condition for Use |
|---|---|---|
Legitimate Interests (Art. 6(1)(f)) | Drafting meeting notes, generating suitability report drafts, compliance checking | Three-part test typically documented: purpose, necessity, balancing |
Contract (Art. 6(1)(b)) | Processing data necessary to fulfil the advice service agreement | Processing should be objectively necessary to deliver the contracted service |
Legal Obligation (Art. 6(1)(c)) | Retaining advice records to meet FCA SYSC/COBS requirements | Typically applicable only where processing is required by law, not commercial preference |
Consent (Art. 6(1)(a)) | Recording client meetings | Client can withdraw at any time; may create conflict with FCA retention obligations. Generally not recommended as sole basis for administrative AI processing |
AI Workflows and Lawful Basis Logic
There is a critical technical distinction that every firm using AI tools must understand: AI training versus AI inference. Training typically uses personal data to update the model itself, potentially incorporating client information into the system. Inference typically applies a pre-trained model to generate outputs without modifying the model. The personal data entered during inference is generally processed but not absorbed into the system's underlying weights.
Generic AI tools can carry a genuine GDPR risk: their default settings may enable model training on user inputs, which can raise data minimisation and purpose limitation concerns under UK GDPR. A platform that operates a zero-training policy, processing client data through inference only, addresses this risk directly. AdvisoryAI does not use client data to train its models. For any AI vendor you evaluate, confirm the model training policy in writing as part of your due diligence.
Documenting AI Processing for Compliance
GDPR's lawfulness and transparency principle connects directly to the FCA Consumer Duty requirement to act in good faith and provide a clear audit trail. The FCA expects firms to maintain clear oversight of any technology used in advice preparation, and your GDPR compliance documentation may serve as supporting evidence for Consumer Duty purposes, though the two frameworks have distinct requirements and neither substitutes for the other.
For every AI processing activity, document the lawful basis decision, the balancing test outcome, the vendor's data processing agreement, and the technical measures in place. The Intelliflo integration guide explains how structured outputs flow directly to the back-office system to maintain the audit trail.
When to Update Your Privacy Notice
Introducing any new AI vendor triggers an obligation to update your privacy notice. The ICO guidance indicates that firms relying on legitimate interests should identify that basis in their privacy disclosures and explain the interests in plain English. Consult your legal team to draft a clause covering your specific AI processing activities.
If a data breach occurs involving an AI processor, the 72-hour reporting window to the ICO typically begins from the moment your firm becomes aware. The ICO breach notification guide sets out the required process:
Contain: Initiate mitigation steps to prevent further exposure.
Assess: Complete a risk assessment covering data categories and individuals affected.
Notify: Submit the notification within 72 hours, including the nature of the breach, categories of individuals affected, likely consequences, and measures taken. You may provide information in phases if a full investigation is not possible within 72 hours, as long as this is done without undue further delay.
Review: Document lessons learned and update security measures accordingly.
Practical Steps for GDPR-Compliant AI Data Usage
What Data Should You Exclude from AI Tools
Data minimisation typically means feeding an AI tool only the personal data genuinely necessary for the task. The challenge arises with special category data under GDPR Article 9: health details for critical illness planning, vulnerability indicators, or mental health disclosures. Either redact these details before data enters the AI tool, or maintain them in a separate system with a documented Article 9 condition, such as explicit client consent for that specific processing activity.
Protecting Client Privacy in AI Workflows
The back-office systems most UK advice firms use, including Intelliflo, Iress Xplan, Plannr, and Curo, contain the canonical client record. Evie connects directly with these systems and pushes structured meeting outputs, including fact-find data, into the specific fields of the fact-find section in Intelliflo, Plannr, Curo, or Xplan. This covers personal information, investment details, and employment details without manual re-entry, keeping personal data within UK-hosted infrastructure throughout. The Intelliflo integration guide explains exactly how this handoff works and what data fields populate automatically.
How to Automate Client Data Deletion
Once structured notes are generated and pushed to the back-office system, your AI platform may be configured to clear the original recording and transcript according to your firm's retention policy. The typical workflow:
The meeting is captured via Teams, Zoom, or Google Meet.
The transcript is generated and structured notes are produced.
Data pushes to the back-office system (Intelliflo, Plannr, Xplan, or Curo).
The transcript and audio may be purged from the platform after a firm-configured period aligned to your retention policy.
This approach can support data minimisation by ensuring the original recording is not retained beyond the point where the compliant, structured record exists in the firm's permanent back-office system.
Configuring AI Capabilities for GDPR Compliance
Firms introducing AI meeting capture should document how raw recordings are handled, confirm which conferencing platforms the tool supports to avoid data routing through unknown third-party infrastructure, and establish a retention policy that clears transcripts once structured outputs are pushed to the back-office system. AdvisoryAI records via Microsoft Teams, Zoom, or Google Meet, so client meeting data does not need to leave your existing conferencing environment.
Once structured notes are generated, the raw transcript may be cleared according to your firm's retention policy. Emma generates suitability reports from your firm's own templates rather than a vendor-standardised format, which means document structure and data fields remain under your firm's control throughout. See the full meeting notes workflow and suitability report generation process on the AdvisoryAI website.
Maintaining Human Control over AI Decisions
Mandatory Manual Checks for AI Data
GDPR Article 22 grants individuals the right not to be subject to decisions based solely on automated processing when those decisions produce legal or similarly significant effects. For financial advice, virtually every output, from an investment recommendation to a retirement income plan, carries significant effect. This means AI should function as the author, not the decision-maker.
Think of this as the author-to-editor shift: Evie or Emma generates the draft, and the adviser reviews, edits, and takes professional responsibility for the final output. Professional judgment stays with the adviser. The manual writing work does not. For a practitioner-level discussion of where that boundary sits, AdvisoryAI's CEO Alan Gurung covers the adviser oversight question directly in this interview with Intelliflo.
For this to satisfy GDPR Article 22, the adviser's review must be meaningful and substantive, not a rubber-stamp of the AI draft. The SCHUFA judgment confirmed that a human formally in the loop is not sufficient; the adviser must genuinely assess the output, apply professional judgment, and retain the ability to override it. That substantive review also supports Consumer Duty's requirement for demonstrated care and judgment applied to each client's outcome.
Note that Article 22 is due to be replaced by Articles 22A-22D under the Data (Use and Access) Act once commenced. Until then, the current Article 22 regime applies, and firms should monitor ICO guidance for updated compliance requirements as the new provisions take effect.
Managing AI Data Logs for GDPR
Every AI processing activity should generate a log entry that typically records what data was processed, by which tool, at what time, and who reviewed the output. Maintaining these logs supports the ICO's accountability principle and helps provide the FCA with the kind of evidence it expects when examining Consumer Duty compliance.
Atlas's Adaptive Thinking feature, released May 2026, makes the audit trail visible. Advisers see each reasoning step Atlas took, from analysing the request to loading a client profile, and that reasoning persists across sessions so older queries remain auditable. See the Atlas interface in action.
Checking AI Work for GDPR Compliance
Colin, AdvisoryAI's compliance checking capability, runs 42 automated checks on suitability reports and multi-category checks on fact-finds, covering areas including client profiling completeness, risk assessment adequacy, and recommendation suitability. Colin is system-agnostic: it checks any suitability report against FCA Consumer Duty and COBS standards, not just documents created within AdvisoryAI.
A compliance report shows a colour-coded pass/fail status per category with a percentage score, for example 95.24% compliant equating to 40 of 42 checks passed, alongside guidance for any failed checks. This gives every advice file a documented, time-stamped record of the checks performed before the document left the adviser's desk. Watch Colin's compliance checking demonstration for a full walkthrough.
Contractual Requirements for AI Data Processing
Essential GDPR Checks for AI Vendors
Before signing with any AI vendor, confirm the following in writing:
Data residency: Where is the data hosted, and does it remain in the UK or EEA?
Model training policy: Does the vendor use client data to train or improve its models?
Sub-processor disclosure: Which third-party services process your data, for example LLM providers?
Breach notification commitment: Will the vendor notify you without undue delay if a breach occurs?
Data deletion rights: Can you request deletion of all client data held by the vendor, and within what timeframe?
The penalties for getting this wrong are significant.
Table 2: GDPR Risk and Penalty Summary
Violation Category | Maximum Fine |
|---|---|
Less serious violations (lower tier), e.g. technical obligations | £8.7 million or 2% of global annual turnover, whichever is higher |
Serious violations (upper tier), e.g. unlawful processing, breach of data subject rights | £17.5 million or 4% of global annual turnover, whichever is higher |
ICO fining guidance under UK GDPR and DPA 2018.
GDPR Requirements for AI Vendor Contracts
Under GDPR Article 28, any AI vendor processing personal data on your behalf should sign a Data Processing Agreement confirming they will only act on your written instructions. The firm is typically the Data Controller. The AI vendor is typically the Data Processor.
Table 3: Controller vs. Processor Responsibility Map
Responsibility | Data Controller (Advice Firm) | Data Processor (AI Vendor) |
|---|---|---|
Typically determines purpose and means of processing | Yes | No |
Typically selects the AI tool and defines scope | Yes | No |
Typically conducts DPIA and lawful basis assessment | Yes | Assists only |
Processes data per written instructions | No | Yes |
Typically implements technical security measures | Yes | Yes |
Typically notifies Controller of breach without undue delay | No | Yes |
Typically bears ultimate regulatory responsibility | Yes | No |
Managing Offshore AI Hosting Risks
US-based hosting can create compliance friction under GDPR Articles 44-49, which require adequate safeguards when transferring data outside the UK or EEA. AdvisoryAI holds Cyber Essentials certification, hosts all client data in AWS London, and has ISO 27001 in progress. Review the AdvisoryAI privacy policy for specific data handling commitments.
Notifying Clients of AI Sub-processors
If your AI vendor uses sub-processors, for example a large language model provider that handles text generation, your firm should disclose this in your privacy notice. Request a full sub-processor list from any vendor before signing a contract, and ensure the Data Processing Agreement binds sub-processors to the same data protection obligations.
Disclosing AI Processing to Maintain Client Trust
How to Discuss AI with Clients
Firms using AdvisoryAI report that clients often accept AI-assisted note-taking when it is explained clearly. A straightforward explanation works well: "We use an automated assistant to capture our meeting notes so I can focus entirely on our conversation rather than typing on a screen. Your data stays within UK-hosted systems and is never used to train AI models." This framing addresses common client concerns: that the adviser is present and listening, and that their data is not going somewhere uncontrolled. Alan Gurung also addresses the broader question of AI's role in the advice relationship in this conversation with LifeTalk, which may be useful context when preparing how to explain AI tools to clients.
For more context on managing recording opt-outs while maintaining productivity, see the client consent and recording guide on the AdvisoryAI blog.
Updating Privacy Notices for AI Capabilities
When you introduce a new AI vendor, update your privacy notice to disclose the AI processing, identify your lawful basis, and explain the interests in plain English as required by the ICO. Consult your legal team to draft a clause that covers your firm's specific processing activities, retention periods, and the client's right to object.
Client Objections to AI Processing
When a client objects to AI processing of their data, a recommended protocol includes:
Acknowledge: Confirm in writing that you will respect the request.
Suspend: Stop AI processing for that client's records immediately.
Switch: Use manual note-taking or dictation for all future meetings with that client.
Confirm: State in writing that opting out carries no disadvantage to service quality or advice suitability.
Document: Record the objection in the client file and flag it in the back-office system to ensure consistent enforcement.
This approach can address the right to object under GDPR Article 21 and demonstrates to the FCA that the firm respects client autonomy even where legitimate interests would technically permit AI processing.
Performing a DPIA for AI-Driven Advice Tools
Which AI Use Cases Trigger a DPIA
For UK advice firms, the combination of sensitive financial data (and often special category health data) with new AI technology typically triggers a DPIA requirement under ICO guidance. This applies to meeting transcription tools, suitability report drafting platforms, and compliance checking tools that process advice files.
The ICO requires a DPIA when processing is likely to result in a high risk to individuals, and using innovative technologies or novel applications of existing technologies (including AI) is a key triggering factor. While you may be able to justify not carrying out a DPIA if you are confident the processing is unlikely to result in high risk, you must document your reasons. Firms should assess each new AI deployment against the ICO's high-risk criteria before going live.
Identifying Potential GDPR Vulnerabilities
Common risks in AI-assisted advice workflows:
Data leakage to public AI models with model-training enabled
Unauthorised access through inadequate access controls on the AI interface
Offshore hosting exposure transferring data outside the UK
Retention policy gaps allowing transcripts to be stored beyond the firm's stated period
Sub-processor opacity with undisclosed LLM providers processing client data
How to Document Your AI Safeguards
Use this checklist when completing a DPIA or processing LOA packs via AI tools:
Lawful basis: Identify the lawful basis (often legitimate interests) and document the three-part test: purpose, necessity, and balancing.
DPIA: Complete a DPIA covering data categories, access controls, vendor contracts, and retention policies.
DPA: Confirm the vendor's Data Processing Agreement is signed and covers sub-processors.
Residency and training policy: Confirm UK or EEA data residency and the vendor's model training policy in writing.
Automated deletion: Consider configuring deletion of transcripts and AI-generated drafts once outputs are pushed to the back-office system.
Privacy notice: Update the firm's privacy notice to disclose AI processing and the lawful basis relied upon.
Objection protocol: Establish a process for handling client objections and document it in the firm's internal procedures.
Compliance checks: Run Colin on every suitability report before it leaves the adviser's desk.
Activity log: Record AI processing activity (tool used, data category, date, reviewing adviser) for ICO and FCA audit purposes.
The AdvisoryAI AI buyers guide covers vendor selection criteria in detail, including how to evaluate data residency commitments and model training policies before committing. For multi-adviser firms, consolidators, and investment management firms, where DPIA obligations, documentation consistency across adviser teams, and governance audit trails carry the greatest regulatory weight, the checklist above applies at scale across every adviser and every client file. Request a demo to see how Evie, Emma, and Colin work within Atlas across your firm's existing templates and back-office systems, or start a 14-day free trial with no credit card required, a 30-day money-back guarantee, and no commitment to continue. Annual plans include a 10% discount.
FAQs
Does AI Processing in Advice Firms Require Explicit Client Consent?
Not always. Consent is one of six lawful bases under UK GDPR, and for administrative AI processing it is often not the most appropriate one. If a client withdraws consent, GDPR would typically trigger an erasure obligation that may directly contradict FCA record-keeping rules requiring retention for five years or more. Legitimate interests under GDPR Article 6(1)(f), supported by a documented three-part test, may be a more workable basis for routine AI drafting because it can accommodate mandatory FCA retention periods.
Who Is Responsible for AI-Drafted Suitability Reports?
The advice firm is the Data Controller and the adviser bears regulatory responsibility for the final output. AI generates drafts for professional review, not autonomous decisions, and under GDPR Article 22, clients retain the right not to be subject to decisions based solely on automated processing that produces legal or similarly significant effects. That review must be genuinely substantive: the SCHUFA judgment established that a human formally in the loop does not meet the standard, so the adviser must apply real judgment, remain able to override the output, and ensure the client retains the right to human intervention, to express their view, and to contest the outcome. That standard also supports FCA Consumer Duty obligations
Can UK Advice Firms Use Overseas AI Providers?
Only with adequate safeguards under GDPR Articles 44-49. Without a valid transfer mechanism, sending client data to a US-hosted AI platform creates a UK GDPR compliance risk, which is why UK data residency is a core due diligence requirement when evaluating any AI vendor.
How Long Must AI Processing Records Be Retained?
Your firm should retain AI processing logs and AI-generated outputs in line with FCA COBS retention rules: five years minimum for most advice records, and indefinitely for pension transfers, pension conversions, and opt-outs. The same periods that apply to your advice files apply to the AI-generated outputs and the logs documenting how those outputs were produced and reviewed.
Key Terms
Data Controller: The firm that determines the purpose and means of processing personal data. In a UK advice firm using AI for documentation, the advice firm is typically the Data Controller and bears full regulatory responsibility for how it processes client data.
Data Processor: A third party that processes personal data on behalf of the Data Controller, acting only on written instructions. An AI vendor handling meeting transcripts or report drafts typically operates as a Data Processor under GDPR Article 28.
Lawful Basis: One of six conditions under GDPR Article 6 that your firm must identify and document before processing any personal data. Common bases in AI-assisted advice workflows include legitimate interests, contract, and legal obligation.
Legitimate Interests: A lawful basis under GDPR Article 6(1)(f) that permits processing where the firm can demonstrate a genuine purpose, a necessity for that processing, and that its interests are not overridden by the individual's privacy rights. Documented through a three-part test covering purpose, necessity, and balancing.
Data Protection Impact Assessment (DPIA): A structured assessment required by the ICO before processing that is likely to result in high risk to individuals. For UK advice firms introducing AI tools that handle sensitive financial data, a DPIA is typically required rather than optional.

Subscribe to our newsletter
Get an AI summary of AdvisoryAI
For questions or partnerships,
contact us at team@advisoryai.com
For product support, help, contact us at support@advisoryai.com
Solutions
Compare












