Yesterday, the Financial Conduct Authority (FCA) warned firms that they must be responsible when handling client data. Although for a lot of companies when considering data protection, eyes are firmly fixed on the activity of the Information Commissioner's Office (ICO), the FCA plays an important role in data protection for relevant organisations.
The FCA has emphasised that the FCA Handbook also sets out requirements when handling clients' data. These obligations sit alongside the already onerous requirements of the GDPR and the Data Protection Act 2018 and the FCA Handbook includes a requirement to consider whether any transfers of personal data are fair to and in the interests of their clients in accordance with Principle 6. Further, the FCA has placed emphasis on communicating with clients fairly and clearly, in accordance with Principle 7.
For many of our clients such as insurers regulated by the FCA, recognising whether there is an obligation to notify the FCA of a personal data breach is key early on in the incident response process. Further, it is important to manage and co-ordinate responses to any queries from the ICO and the FCA as investigations into personal data breaches progress, to ensure that consistent messaging is applied across the board and a sense of co-operation is conveyed.
We will act where we identify breaches of relevant parts of the FCA Handbook. Firms that intend to transfer or receive personal client data must be able to demonstrate how they have considered the fair treatment of consumers and how their actions comply with data protection and privacy laws.