The operating system for introducer-led growth

Do I need client consent before sharing their data with a referral partner?

Category: Compliance

Yes, on two grounds. First, under the ICAEW Code of Ethics and the DPB Handbook, firms must obtain informed client consent before making a regulated referral. The client must understand who their information is being shared with, the purpose of the referral, and any commercial arrangement between your firm and the receiving party. Second, under UK GDPR and the Data Protection Act 2018, sharing personal data with a third party requires a lawful basis. For referrals, the most appropriate basis is usually consent — particularly where the data sharing is not strictly necessary for the service the client originally engaged you for. Consent must be freely given, specific, informed, and unambiguous. A blanket clause in your engagement letter saying 'we may share your data with third parties' is unlikely to meet either the ICAEW or data protection standard. Best practice is to obtain case-by-case consent at the point of referral, explaining who you are referring them to, why, and what data will be shared. This can be captured in a brief consent form, an email exchange, or through a digital workflow. The important thing is that you can evidence the consent was obtained before the data was shared, not after. Firms using tools like RQ can automate this step, capturing consent digitally and storing it alongside the referral record for audit purposes.