GDPR for Bridging Lenders: Data Retention, Borrower Rights, and What to Have in Place

The UK General Data Protection Regulation — retained in domestic law following Brexit as UK GDPR, supplemented by the Data Protection Act 2018 — imposes substantial obligations on any organisation that collects, processes, or stores personal data. For UK bridging and development lenders, these obligations are both more pervasive and more complex than many teams appreciate. Financial data about individuals is personal data. So is the information collected during borrower due diligence, the records of payment conduct, and the compliance documentation held in origination files.

This article is a practical guide to the GDPR obligations most relevant to bridging lenders — not a comprehensive legal reference but a plain-language overview of the areas where exposure is highest and where common compliance gaps tend to exist.

What Counts as Personal Data in a Lending Context

The definition of personal data under UK GDPR is broad: any information that identifies, or can identify, a living individual. In a lending context, this includes the obvious categories — names, addresses, passport numbers, and bank account details — but also a wide range of data that lenders may not always treat as personal data.

Ownership data may constitute personal data when it relates to identifiable individuals. Company officer records, including appointment and resignation dates, are personal data under UK GDPR. Credit conduct history, where it relates to a named individual rather than a corporate entity, is personal data. Payment history associated with a personal guarantee is personal data.

This has practical implications for how lenders store, access, and share this information. The test is not whether the information relates to a company — it is whether it can be used to identify or make inferences about a living individual. Much of the corporate data that bridging lenders collect and process fails this test.

Lawful Basis for Processing

Every processing activity involving personal data must have a lawful basis under UK GDPR. For bridging lenders, the most commonly applicable bases are: contract (processing necessary for the performance of a loan agreement), legal obligation (processing required by AML, KYC, and regulatory compliance requirements), and legitimate interests (processing that serves a genuine purpose proportionate to the privacy impact, where individual rights are not overridden).

Legitimate interests is the most flexible basis and the one most often used for monitoring and analytics activities that go beyond the immediate contract. Using Companies House data to assess borrower risk at origination is likely to be supportable under legitimate interests. Ongoing monitoring of parent company networks and charge data for borrowers with live facilities is also supportable — the lender has a genuine and proportionate interest in understanding changes to the corporate structure of entities in which it holds security.

Where legitimate interests is relied upon, a Legitimate Interests Assessment (LIA) should be conducted and documented. This records the purpose of the processing, the privacy impact on data subjects, and the balancing exercise that leads to the conclusion that legitimate interests outweigh individual privacy rights. The LIA does not need to be long, but it should be specific and honest about the nature of the processing.

Data Retention: The Most Common Compliance Gap

Data retention is the area where bridging lenders most commonly fall short of GDPR requirements. UK GDPR requires that personal data is kept for no longer than necessary for the purpose for which it was collected. In practice, many lenders retain origination files, KYC documentation, and payment records indefinitely — either because they have no documented retention policy or because the policy exists but is not enforced.

For bridging facilities, a reasonable retention framework covers: origination documentation (kept for the duration of the facility plus the relevant limitation period, typically 6 years), KYC and AML records (kept for 5 years following the end of the business relationship, as required by the Money Laundering Regulations), payment and arrears records (kept for the duration of the facility plus 6 years), and marketing and prospect data (kept only while the prospective relationship is active, with clear deletion processes on opt-out or non-engagement).

The practical challenge is applying retention schedules consistently across heterogeneous data stores — origination files in one system, KYC in another, payment records in a third. A data mapping exercise that identifies what personal data is held, where, and in what form is a necessary precondition for implementing a meaningful retention policy.

Individual Rights: Requests You Need to Be Prepared For

UK GDPR grants data subjects several rights that lenders must be prepared to respond to. The most practically significant for bridging lenders are: the right of access (a Subject Access Request, or SAR, under which an individual can request all personal data held about them), the right to rectification (correction of inaccurate data), and the right to erasure (deletion of personal data in certain circumstances).

SARs must be responded to within one calendar month of receipt. For lenders without a centralised data architecture, compiling a complete response to a SAR — covering all systems, email archives, loan files, and third-party data processors — is often a significant operational undertaking. The ICO expects responses to be complete and accurate; missing data systems that hold personal data about the requester is a compliance failure.

The right to erasure is frequently misunderstood. It does not override legal obligations — a lender is not required to delete AML records within the retention period required by the Money Laundering Regulations simply because a former borrower has requested erasure. But it does apply to personal data for which there is no longer a lawful basis — marketing data, records retained beyond the applicable retention period, and data collected for a purpose that has since ceased to be relevant.

How Loan Intel Approaches Data Compliance

Loan Intel processes personal data in the course of providing its lending intelligence platform. The platform ingests Companies House data — which includes personal data about directors and parent companies — and uses it to produce risk analytics for lender clients.

The lawful basis for this processing is legitimate interests: the platform's clients have a genuine and proportionate interest in understanding the corporate risk profile of their borrowers, and the use of publicly available Companies House data for this purpose is a well-established practice in the lending industry. Loan Intel maintains a documented privacy policy, a data processing agreement available to all lender clients, and a data retention framework that limits the retention of personal data to periods consistent with the purposes for which it is held.

For lender clients, the processing activities on the Loan Intel platform should be documented in their own Records of Processing Activities (RoPA), and the Loan Intel data processing agreement should be in place as required by Article 28 of UK GDPR. If your team needs support with the documentation requirements associated with using the platform, our compliance team is available to assist.