| Link(s): https://www.fca.org.uk/news/statements/fca-warns-firms-be-responsible-when-handling-client-data |
Context
The current economic climate is having an impact in many ways, with many firms changing the way in which they operate, in some cases, merging or being acquired by other businesses or even choosing to leave the market entirely. The FCA has issued a statement reminding firms of their responsibilities to ensure that in the event of these changes, they lawfully process and transfer client data.
Key points to note
What firms need to consider
- Principles in the FCA Handbook:
- Firms are required to organise and control their affairs responsibly and effectively, with adequate risk management systems (Principle 3).
- Before transferring clients’ personal data, firms should consider whether this is fair to, and in the interests of, their clients (Principle 6).
- Firms should also pay due regard to the information needs of their clients and communicate with them clearly and fairly (Principle 7).
Data protection legislation and the Information Commissioner’s Office
- Data protection legislation applies to data controllers such as firms, compliance consultants, insolvency practitioners and liquidators. The Information Commissioner’s Office (ICO) is responsible for regulating, and enforcing, information and privacy rights in the UK. Relevant legislation includes:
- Data Protection Act 2018 (DPA)
- General Data Protection Regulation (EU) 2016/679 (GDPR)
- Privacy and Electronic Communications Regulations (EC Directive) 2003 (PECR)
How firms must protect client data
- GDPR requires firms to provide information to clients clearly setting out ‘privacy information’, which includes the purposes for which they are collecting or processing client data, and individuals’ rights when their data is processed.
- Further detail on information that must be given when client data is collected, usually when taking on new clients, is available at the ICO Right to be informed page which can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/
- Firms should generally ensure they maintain a record of how and why they process, share and retain personal data.
- The ICO provides guidance on documentation which can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/documentation/
- The ICO also provides guidance on records management and security expectations which can be found here: https://ico.org.uk/for-organisations/accountability-framework/records-management-and-security/
- Firms should also record the lawful basis for processing data. If data is being processed based on consent, an effective audit trail of how and when consent was given must be maintained.
- The ICO provides guidance on obtaining, recording and managing consent which can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/consent/
- Further guidance for small businesses can be found here: https://ico.org.uk/for-organisations/data-protection-advice-for-small-organisations/
How the FCA protect consumer interests
- The FCA will act where breaches of relevant parts of the FCA Handbook are identified.
- Firms that intend to transfer or receive personal client data must be able to demonstrate how they have considered the fair treatment of consumers and how their actions comply with data protection and privacy laws.
The impact of Brexit
- GDPR currently has direct effect in the UK.
- At the end of the Brexit transition period the GDPR provisions will form part of retained EU law, with amendments made by DP exit regulations under the European Union (Withdrawal) Act 2018.
- The Data Protection Act 2018 and PECR will continue to apply, alongside the GDPR. There will be some amendments to ensure they work in a UK-only context.
- The ICO has produced guidance on data protection for the end of the transition period which is regularly updated and can be found here: https://ico.org.uk/for-organisations/data-protection-at-the-end-of-the-transition-period/data-protection-at-the-end-of-the-transition-period/
Other relevant links
- DP exit regulations: https://www.legislation.gov.uk/uksi/2019/419/introduction/made
- European Union (Withdrawal) Act 2018: https://www.legislation.gov.uk/ukpga/2018/16/contents
- Data Protection Act 2018: https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted
- The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR):https://www.legislation.gov.uk/uksi/2003/2426