Sector-specific data protection requires more than a general understanding of the UK GDPR and Data Protection Act 2018. Regulated industries operate under overlapping legal frameworks where data protection obligations interact with sector-specific rules on confidentiality, security, consumer protection and lawful interception. bratby.law advises clients at the intersection of these regimes, with particular depth in telecoms and financial services.

Telecoms data protection

Telecoms operators are subject to a distinct layer of data protection rules that sit alongside the UK GDPR. The Privacy and Electronic Communications Regulations 2003 (PECR) impose specific obligations on the processing of traffic data, location data, itemised billing records and subscriber information. PECR also governs direct marketing by electronic means, including rules on unsolicited calls, texts, emails and the use of automated calling systems.

The Communications Act 2003 adds further requirements. Section 135 gives Ofcom power to require operators to provide data for regulatory purposes. Sections 393 to 395 restrict the disclosure of information obtained under the Act. The Telecommunications (Security) Act 2021 imposes network and service security obligations that directly affect how operators store, process and transmit personal data, with detailed requirements set out in the Telecommunications Security Code of Practice.

Operators must also manage the intersection with lawful intercept requirements under the Investigatory Powers Act 2016, which requires the retention of communications data and the capability to give effect to interception warrants. Balancing these obligations with data minimisation and storage limitation principles under the UK GDPR requires careful legal analysis. For more on these requirements, see our page on lawful intercept and the Investigatory Powers Act.

Financial services data protection

Financial services firms face a comparable overlay of sector-specific data obligations. The FCA Senior Managers and Certification Regime assigns personal accountability for data governance and operational resilience. The FCA Handbook provisions on systems and controls (SYSC) require firms to maintain adequate arrangements for data security, record-keeping and management information.

Payment service providers authorised under the Payment Services Regulations 2017 must comply with the FCA’s data governance expectations, including safeguarding requirements that dictate how client money records are maintained and protected. Open banking and variable recurring payments introduce additional data sharing obligations under the FCA’s open banking framework. For firms operating in the payments sector, see our dedicated payments regulation practice.

The Consumer Duty (PRIN 2A) requires firms to act to deliver good outcomes for retail customers. This has direct data protection implications: firms must be able to demonstrate that their use of personal data in product design, pricing, communications and customer support meets the Duty’s evidential standards. Firms using algorithmic decision-making or AI-driven tools must ensure these systems do not produce discriminatory outcomes, a requirement that overlaps with UK GDPR Article 22 protections on automated decision-making.

Data protection for AI-enabled products in regulated sectors

Regulated firms increasingly deploy AI-enabled products for fraud detection, credit scoring, customer service automation and network optimisation. Each of these applications processes personal data and engages data protection requirements alongside sector-specific rules. The key challenges include establishing a lawful basis for training data, managing data subject rights in the context of machine learning models, and conducting data protection impact assessments that account for sector-specific risks.

The Data (Use and Access) Act 2025 introduces new provisions on automated decision-making that will affect how regulated firms deploy AI. The Act modifies the existing Article 22 framework and introduces new requirements for meaningful human review. Firms must also consider the expectations of their sector regulators: the ICO has published guidance on AI and data protection, the FCA has issued discussion papers on AI in financial services, and Ofcom’s approach to AI in communications is evolving as the Online Safety Act 2023 regime matures. For detailed guidance on AI governance frameworks, see our page on AI and automated decision-making.

Cross-border data issues in regulated sectors

Regulated firms face particular complexity in cross-border data transfers. UK adequacy regulations, the International Data Transfer Agreement (IDTA) and standard contractual clauses provide the general framework, but sector-specific restrictions can apply. Telecoms operators handling lawful intercept data face restrictions on where that data can be processed and stored. Financial services firms must comply with FCA and PRA expectations on outsourcing and third-party risk management, including requirements in SYSC 8 on the location and security of outsourced functions. For more on transfer mechanisms, see our page on data governance, transfers and accountability.

How bratby.law helps with sector-specific data protection

Our sector-specific data protection advice draws on direct experience of the regulatory regimes that apply alongside the UK GDPR. Rob Bratby’s career at Oftel, as General Counsel at COLT Telecommunications and TelXL, and as General Counsel to UK Payments Initiative Limited, means we understand how data protection obligations operate in practice within telecoms and financial services.

We advise on:

• PECR compliance for telecoms operators, including traffic data retention, location data processing and direct marketing rules
• Communications Act 2003 data disclosure obligations and section 135 information requests
• TSA 2021 security requirements and their interaction with UK GDPR security obligations
• FCA and PRA data governance expectations for payment service providers and regulated financial services firms
• Consumer Duty data implications, including evidential standards for AI-driven customer outcomes
• Data protection impact assessments for AI-enabled products in regulated sectors
• Cross-border data transfer strategies that satisfy both data protection and sector-specific rules
• ICO engagement and regulatory correspondence on sector-specific data issues

Need sector-specific data protection advice? Book a call to discuss your requirements.

Frequently asked questions about sector-specific data protection

How does PECR interact with the UK GDPR for telecoms operators?

PECR imposes additional rules on the processing of traffic data, location data and subscriber information that sit alongside the UK GDPR. Where both regimes apply, the more specific PECR rule takes precedence for the processing it covers. Operators must comply with both sets of requirements and should map their data processing activities against each regime to identify overlaps and gaps.

What are the FCA’s expectations for data governance in payments firms?

The FCA expects payment service providers to maintain data governance arrangements proportionate to their size and activities. This includes clear accountability under the Senior Managers regime, robust systems and controls under SYSC, secure management of safeguarded funds records, and compliance with the Consumer Duty’s requirements for fair treatment in data-driven customer interactions. Firms using AI or automated tools face additional scrutiny on model governance and outcomes monitoring.

Do I need a separate DPIA for AI systems in a regulated sector?

In most cases, yes. AI systems that process personal data at scale, profile individuals, or make automated decisions with legal or significant effects will trigger a DPIA requirement under UK GDPR Article 35. In regulated sectors, the DPIA should also address sector-specific risks, including compliance with the relevant regulator’s expectations on algorithmic fairness, model validation and consumer outcomes.

Can telecoms operators transfer lawful intercept data outside the UK?

The Investigatory Powers Act 2016 and associated regulations place restrictions on the processing and storage of communications data retained for lawful intercept purposes. While the UK GDPR’s international transfer framework applies to personal data generally, intercept-related data is subject to additional controls that may prevent or restrict transfer to jurisdictions outside the UK. Operators should take specific legal advice on their retention and storage arrangements.

Why Choose bratby.law?

Telecoms, data protection and payments regulation lawyers

bratby.law advises on telecoms regulation, data protection, payments regulation and transactions across the communications, financial services and technology sectors.

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

• Chambers & Partners: Rob Bratby is ranked in the UK Guide 2026 in the “Telecommunications” category: Chambers
• The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
• Lexology: Rob Bratby is featured on Lexology’s expert profiles (Global Elite Thought Leader): Lexology

What clients say about bratby.law