By 2020, the amount of data gathered will have reached 40 zettabytes (ZB). The General Data Protection Regulation (‘GDPR’) was created to unite principals of data privacy within Europe. Under the GDPR, the crucial requirement is that firm’s cannot store data for longer than necessary for the purposes for which it is being processed, unless this is for archiving purposes in the public interest (i.e. NHS, criminal records) or for scientific or historical research purposes.
The regulation contains not only rights but also duties…
In the event of breach, firms must notify the Information Commissioners Office (‘ICO’) authority within 72 hours. But this is not the only authority that has to be notified. All concerned persons also have to be informed. This may be done by a public communication.
Although, The Financial Conduct Authority (FCA) is not responsible for GDPR, the FCA has been including questions on GDPR preparation in conversations with the firms it regulates.
Regarding firms who provided their services on an-advised basis, it is arguable for these firms to hold client data for as long as possible.
As such, there is some inconsistency among firms as to how to interpret GDPR expectations.
Lee Simmons, group compliance manager at national advice firm LEBC, stated, ‘Our policy will be to retain certain files indefinitely, such as defined benefit transfers, as this is mandated by FCA record keeping rules.’
LEBC intends to incorporate these procedures in other high-risk areas, such as investments to retail clients. ‘A claim can be brought before the Financial Ombudsman Service (FOS) within three years of the complainant becoming aware they had cause to complain,’ Simmons said.
In relation to other business activities, Simmons explained, LEBC will maintain the file ‘for claim purposes’ for six years after the end of the relationship.’
Simmons added ‘In all cases, after three years all files will be put into “deep” archiving. These will only be accessible by a limited number of individuals in a limited number of circumstances.’
Openwork stated its retention policy also depended on the type of product. A spokesman said: ‘For term products and investments, we retain data for seven years after the end of the contract. Some pension contracts require data to be kept indefinitely.’
An Old Mutual Wealth Private Client Advisers (OMWPCA) spokesman said, depending on the product type, outside the FCA’s regulatory requirements, the firm could keep client data for up to 50 years following contract termination.
The FCA’s COBS 9.5 rules states firms to retain records relating to suitability indefinitely for pension transfers, pension conversions, opt-outs and free-standing additional voluntary contribution. If the advice relates to a life policy, personal pension scheme or stakeholder pension scheme, data must be retained for five years. Noting, for any other business, the regulatory minimum is three years.
However, if intending to retain data beyond that, firms need to provide a lawful basis.
Simmons said LEBC ‘will not comply with such a request where to do so would violate any FCA record-keeping requirement’. He added: ‘However, unless LEBC has reasonable grounds to refuse to erase personal data, requests shall be complied with, and the data subject informed, within one month of receipt of the request.’
Old Mutual’s approach is more defensive: ‘Under Article 17 of the GDPR, we will assess any requests for erasure and carry them out where there is a valid basis to do so. Explicitly we will decline any requests where we have a lawful basis for retaining records.’
Linking ICO and FCA?
In terms of data retention, there may be some flexibility between the ICO and the FCA to allow firms who can demonstrate they have made substantial efforts to adapt to the new rules.
However, records can be crucial in deciding whether advice given was suitable or not. Erasing files under GDPR requirements, could results in complications for many firms. On the other hand, clients may not be satisfied with firms retaining their data for regulatory purposes.
One possible solution would be for the ICO and the FCA to establish joint guidance on the issues surrounding data retention and complaints.