GDPR and Data Retention Advice for Financial Services

Floppy disk with customer data

Dealing with GDPR and data retention in financial services poses various challenges that must be overcome. In this blog post, we answer common questions around these issues and discuss changes that should be expected.

How will GDPR and data retention in financial services change in post-Brexit 2020?

Despite the arrival of 2020 and a supposed oven-ready Brexit deal, there is still some uncertainty as to whether we will see a No Deal Brexit and what this means for personal data flow between Europe and Britain.

As GDPR doesn’t tell you precisely what you need to do for data retention, you will need to:

  1. Make judgment calls on how long you should hold the data for
  2. Get into the position where you could prove to the regulator – the ICO in the UK – that you have grounds to hold and/or process the data

How do I know what data can and can’t be stored?

Firstly, you need to prove that the data that you store is for legitimate purposes and the law will take precedence.

There will be circumstances where you’re collecting and using data that isn’t covered under the Financial Conduct Authority – FCA – or Prudential Regulation Authority – PRA. Such as personal data used for marketing purposes.

Generally, you can only use and store data for as long as it is required and if you have permission to use it.

How long is reasonable to keep data?

HMRC state that you should keep employee information for three years from the end of the tax year they relate to.

For your customers’ financial records, the FCA handbook states different retention requirements depending on the type of data that you keep – see SYSC Sch 1 Record keeping requirements – these can be anywhere between three to ten years.

The general rule of thumb is to prove that you can legally store and process the data. Identify the type of data you process and hold, along with the purpose of keeping it.

How should backups and archives be treated?

Firstly, make sure your live systems process and store only the data that is a business requirement. And you are permitted to process and store it by the data subject – the individual.

Perform backups regularly and understand what is being backed up and how long those backups are kept. We recommend that you segregate backups depending on the type of data being backed up, or from which system that the data originates. This gives you the control to apply retention policies depending on the type of data being backed up.

A sliding window can then be applied that erases backups based on how old the data is. Such as automatically deleting backup data over five years old for financial data, and three years or more for employee data. The data can then be dealt with as data falls outside of this retention window.

Backup and archive systems should be designed to comply with the data subject’s right to erasure. In practice achieving this is very difficult in backup systems that haven’t been designed to rifle through systems looking for individual records. Therefore, a more pragmatic approach is needed.

Was advice from the ICO and FCA at odds?

ICO and FCA worked together to make sure that GDPR and the FCA Handbook complimented each other[1]. The FCA says that their requirements apply to GDPR. Under the right to be forgotten principle, GDPR states that personal data can be kept with legal obligations:

For compliance with a legal obligation which requires the processing of personal data by Union or Member State law to which the controller is subject. This means GDPR gives way to laws you need to abide by in your country. Therefore, in the UK, the FCAs – and Prudential Regulation Authority’s – rules would need to be complied with.

And don’t forget HMRC rules for employee data. These state that employers can only keep the following data about their employees without their permission:

  • Name
  • Address
  • Date of birth
  • Sex
  • Education and qualifications
  • Work experience
  • National Insurance number
  • Tax code
  • Emergency contact details
  • Employment history with the organization
  • Employment terms and conditions – eg pay, hours of work, holidays, benefits, absence
  • Any accidents connected with work
  • Any training taken
  • Any disciplinary action

For full information, take a look at the HMRC website[2].

Practical steps that you can take to be GDPR compliant

  1. Understand where and what the data you store/process is
  2. Create a data retention policy that clearly states how long each type of data can be held for
  3. Create procedures for backing up the data. Ideally segregating the backups and implement automatic erasure procedures that can delete data after a specified time resulting in complying with your data retention policy
  4. Ensure that all backups are secured – encrypted and access granted to specific staff
  5. If individual records cannot be accessed for deletion, ensure that archiving is used where access is very limited

Privacy is changing and laws are strengthening to put the control of individuals’ data back in their hands. GDPR has outlined these rights and the right to be forgotten is one of those principles that is very difficult to achieve practically.

There will never be a perfect solution that fits all organizations, but adhering to the GDPR and data retention policies and principles can be accomplished by being practical and pragmatic.