Our Data Privacy Notice



This notice informs you how we use the information you give us and how Gibson Lamb protects your privacy. It also explains your rights under the UK Data Protection Act 1998 and the EU General Data Protection Regulations 2018. We abide by UK Law and our data protection regulator within the UK is the Information Commissioners Office (details below). Our licence number is Z9414353. This can be checked on www.ico.org.uk

Why do we collect and store your Information?

We aim to offer advice that helps you plan your financial future. To provide such a service, we may need to collect personal data such as employment, income, expenses, financial arrangements you hold, family details or your legal commitments.

Medical details may be required to provide relevant insurance products and / or claims handling services that may be suitable. Any medical details will always be kept confidential within the firm and if shared will be marked Private & Confidential to the Chief Medical Officer.

Your information may be used to introduce you to a range of products and services we offer, to help with ongoing administration, to contact you with any review or changes that are applicable, for our own business research and analysis or for the processing of a claim.

Withholding of the required data may result in an insufficient service being provided or future claims being declined.

We may obtain data from individual customers, from introducer companies or from employers.

Our basis for processing your data

We are a ‘data controller’ under the terms of GDPR and there are six lawful basis for processing data, but only the first four are likely to apply to Gibson Lamb’s clients.

As a client, the first basis will apply; consent. By signing this document, you are consenting to us processing your data.

The second basis, legitimate interest pursued by a controller applies should we wish to contact an existing client whom has not given us consent. The communication might be information that we consider to be be of interest, such as changes to pension legislation for retired clients. Importantly this basis only allows for non-electronic marketing (i.e. via the post), and does not allow emails, SMS or telephone.

The third basis, necessity, applies when passing your details to a ‘platform provider’ (or insurance company in old parlance), in order to complete our contractual obligations such as processing a new investment. Also, this basis applies when a prospect client sends some basic financial information which needs to be processed before deciding what level of service might apply.

The fourth basis, legal obligation applies when the Regulator, the FCA, or the Financial Ombudsman Service or a court requires us to provide information. 

Sharing your data

As a part of our day to day processes, we may share your personal data with organisations that help us to provide our service. Examples are as follows: –

  • Our para planners who provide research, analysis, the generation of reports and administrative support.
  • Our ‘business mentors’ who sit on our Board and help us make long term strategic decisions.
  • Our external compliance support
  • Our investment research company
  • Our online valuation website provider
  • Our client relationship management software provider
  • Our secure client communications portal
  • Our cloud-based server platform
  • Our email, telephone, ‘word processing’ and calendar software
  • Our cloud storage software
  • Our email ‘pre-scan’ hosting company and disaster recovery plan partner
  • Our ‘third layer’ cloud-based backup software
  • Our physical paper file storage company
  • Your investment company or insurer with whom we obtain quotations and with whom we agree to place your business
  • Our accountants, for specialist tax or accountancy related guidance.
  • The Financial Conduct Authority with whom we are regulated, or other regulated bodies as required
  • Any Law enforcement entities as required in UK Law
  • Our identity verification and anti-money laundering software

We will not sell your information to any other third parties.

Data retention

We are not able to inform you at present of the period for which we propose to hold the Data but we will apply the following criteria to determining how long we hold it: –

  1. Is the contract with you still in place?
  2. Is the purpose for which the data was original gathered still ongoing?
  3. Have we been advised to retain it for legal or regulatory purpose?
  4. Does the data relate to an existing investment?

Transfer of data outside of the EU/UK

We may be required to transfer your data outside of the EU/UK or the EU commission arrangements. This would include such countries as The United States (where Microsoft are based) and South Africa (from where the support for our main database, Xplan, is provided). In these circumstances, we will ensure that full safeguarding due diligence has been undertaken on the organisation to which data is being transferred.


We have in place a full information security policy, business continuity and disaster recovery plans. We take data security very seriously and have in place we feel the most secure options available to store and transfer your data securely. We can provide details on request.

Your rights regarding your data –

  • Should your data be inaccurate we will rectify this without delay
  • Should you wish us to delete your data at any point, please contact the office as shown below to request, but please bear in mind our statement above about data retention.
  • Should you wish to transfer your data to another organisation, please contact the office as below and we will organise this for you
  • You can request access to your data at any time. We will provide you with a full copy within one month of your request
  • You can withdraw consent to us holding and processing your information at any time. Please contact the office as below should you wish to do this, but bear in mind our statement above about data retention
  • We may provide you with newsletters and bulletins which are appropriate to your plans on an ongoing basis. You can opt out of these should you wish to – contact us and tell us.

Our contact details

Should you wish to contact us in relation to any issues within this notice, please contact:

Person responsible for GPDR: Dave Lamb
Contact address: Gibson Lamb, 30 Watling Street, London, EC4M 9BR.
Contact telephone: 020 7839 3582
Contact email: dave@gibsonlamb.co.uk

You will be responded to as promptly as possible. We do not have an appointed Data Protection Officer.

Your right to complain

Should you wish to make a complaint in relation to data protection issues relating to our firm, you can contact us as above or you can contact our regulator as follows: –

The Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
0303 123 1113 (local rate)


01625 545 745 if you prefer to use a national rate number

Consent – We are required under the Regulations to obtain your consent to our collection, processing, sharing and holding of your personal data. Please ensure you have read this notice fully and accept all that it contains. If you have any queries, please contact us directly.

Please contact us should you not be able to read or understand this notice sufficiently.

Version 1.2