GDPR Policy

Regulatory requirements

One of the threshold conditions that the Firm is required to meet is appropriate resources. Resources in this context refers to the Firm’s systems and controls.

Principle 3 of the FCA’s Principles for Businesses requires a firm to control its affairs responsibly and effectively, with adequate risk management systems. This principle is supplemented by the FCA’s conduct rules which requires claims management firms to have systems and controls in place to ensure that any lead generators that generate leads to the Firm obtain the leads in compliance with FCA rules, the GDPR and PECR. 

Due diligence process

Prior to obtaining leads from a third party for the first time the Firm will check the FCA register to establish whether the lead generator is FCA authorised and has the correct permission.


The Firm will carry out a due diligence check on a lead generator before it accepts leads from that generator for the first time.

The Firm will refresh its due diligence check on a lead generator at appropriate intervals depending on the frequency with which the lead generator supplies leads to the Firm.


The Firm will notify the FCA if a lead generator is not authorised and the Firm is not satisfied that the lead generator is carrying out unregulated activity or is exempt from authorisation. The Firm will submit a notification to the FCA using the form in SUP 15 Annex 4R.

Record keeping

The Firm will maintain a record of its due diligence checks within its Due Diligence Form.


The Firm will conduct a review of this policy on an annual basis, or sooner, if triggered by internal changes (e.g. business process changes) or external changes (e.g. changes in law).