Wealth Analytica handles UK GDPR and DPA 2018 obligations as part of the client lifecycle. Consent is captured at fact-find against the firm's documented lawful basis; retention schedules trigger reviews automatically; data-subject access requests generate a sealed pack from the live record; withdrawals propagate everywhere the record is referenced. No second tool, no quarterly compliance project.
What the regulation actually asks for
UK GDPR plus the Data Protection Act 2018 ask an IFA firm for six concrete things: a documented lawful basis for each processing activity, an explicit consent record where consent is the basis, a retention policy you actually follow, a process for honouring data-subject rights (access, rectification, erasure, portability, objection) inside one month, breach reporting, and a data-protection impact assessment for higher-risk processing. The ICO's enforcement notices in 2024 and 2025 made plain that the regulator is auditing process, not paperwork.
Most IFA firms meet four of those six well, two of them in a side spreadsheet that no one's reviewed in eighteen months. We've built the side-spreadsheet job into the platform.
Consent at fact-find, by lawful basis
Consent isn't a single tick-box. The firm has different lawful bases for different activities: contract for the advice, legitimate interest for ongoing service review, consent for marketing. The fact-find captures each one separately with the wording your firm uses, time-stamped against the client's signature. The audit pack shows which basis applies to which processing activity on this client, today.
When the client withdraws marketing consent two years later, the system removes them from the marketing audience, leaves the contract-based processing intact, and writes the change to the audit log. A reviewer asking "show me how this client's marketing preferences have changed over time" gets a clean answer.
Retention schedules that actually trigger
Most retention policies look impressive on paper and lapse in practice. Ours runs as a workflow. Files reach the retention threshold, the system surfaces them for review against the firm's policy (seven years from last contact for most IFA records, longer where there's an open complaint or a continuing service relationship), and the paraplanner either confirms continued retention with a documented reason or executes the deletion with a sealed audit pack.
DSAR workflow built in
A data-subject access request used to be a half-day exercise: pulling the CRM record, the email thread, the fact-find PDF, the suitability report, the proposal, the ongoing-review notes, the LoA correspondence. Inside Wealth Analytica the data already lives in one place. A DSAR generates a sealed PDF pack of everything held against that client across the platform, with redactions applied automatically where third parties are named. The one-month statutory window stops being a deadline you sweat and becomes a four-hour job.
The same machinery handles rectification, erasure (where lawful — the seven-year FCA retention rule continues to outrank GDPR erasure for most client records), portability and objection requests.
Breach reporting and DPIAs
A documented breach-reporting process is part of the system, not a Word document on a shared drive. If a paraplanner flags a potential breach, the workflow times the 72-hour ICO notification window and surfaces the supporting evidence. The data-protection impact assessment template covers the higher-risk activities most IFA firms have (profiling for vulnerability, marketing to data subjects, automated decision support in portfolio analysis) and lives versioned against the firm's record.
Where this fits the pipeline
Data management isn't a stage on the pipeline — it's a layer underneath it. Consent is captured at fact-find. Retention triggers on every record. DSAR pulls from every stage. The work that used to live in a separate ICO-shaped tool lives where the data is.
Audit your data position in an hour
A trial seat, your firm's consent text and retention policy loaded into the sandbox, and a sample DSAR run end to end. You'll see where the work currently lives and where it would live with us.
Last reviewed: 15 May 2026 · Author: Michael Fasosin · Editor: Anthony Marris · See our editorial policy for our sourcing and review standards.