Advisers have been warned they will need to cull potential clients from their databases of prospects from May if those on the lists do not explicitly consent to their data being held.
Under incoming European regulations, consumers will be given more control over their data and will be able to ask companies to delete it.
Advisers using online directories which bring together financial professionals with those seeking their services will also have to make sure any enquiries they get this way comply with the new rules.
One of the leading directories, VouchedFor, has warned it will not be doing this on their behalf. Rival Unbiased did not confirm its position despite repeated requests.
Lorraine Mouat, a specialist on the new rules, the General Data Protection Regulation, at compliance consultancy TCC, warned advisers a lack of response from clients on whether they could hold onto their data would not amount to consent.
She said: "Prospect lists should be treated in the same way as any personal data that a firm holds. First and foremost, firms need to make sure they have identified the legal basis they will be relying upon for processing any personal data relating to prospects.
"Then they will need to carry out a data audit to understand where all the personal data is stored. Using this information, firms will be better placed to undertake a data cleanse on all existing prospect data to ensure that only data that is necessary for a specific purpose is retained.
"Dependent upon the legal basis that firms are relying on, it may be necessary to review and update current consents to comply with the new requirements. Firms will need to ensure that they do not make contact with anyone who has previously withdrawn consent and they must provide a clear and easy mechanism for withdrawal of such consent.
"Where this is not possible, or where re-consent has not been gained, the data will need to be deleted or anonymised. Remember that lack of response does not equal consent."
She added using data for marketing without the consent of the person it belonged to would be effectively illegal from 25 May.
The Information Commissioners Office has a range of powers to enforce GDPR, including warnings, reprimands, temporary or permanent bans on handling data and fines based on the size of the firm - up to €20m (£17.7m) or 4 per cent of annual turnover, whichever is greater.
It has also the right to order the deletion of data.
Caroline Bradley, risk and regulatory director at Tenet, said the network, among the UK's largest, is recommending to its members that they review their client databases to make sure they have the correct consents in place.
She said: "The key to keeping marketing activities compliant revolves around ensuring advisers have proper consent to market to their existing and potential clients. The level of consent varies depending on whether the marketing is done by email, telephone or postal mail."