"We will act where we identify breaches of relevant parts of the FCA Handbook."
Principles in the FCA Handbook require firms to organise and control their affairs responsibly and effectively, with adequate risk management systems (Principle 3). Before transferring clients’ personal data, the FCA says firms should consider whether this is fair to and in the interests of their clients (Principle 6). Firms should also pay due regard to the information needs of their clients and communicate with them clearly and fairly (Principle 7).
GDPR requires firms to provide information to clients clearly setting out ‘privacy information’, which includes the purposes for which they are collecting or processing client data, and individuals’ rights when their data is processed. Further detail on information that must be given when client data is collected, usually when taking on new clients, is available at the ICO Right to be informed page.
At the end of the Brexit transition period the GDPR provisions will form part of retained EU law, with amendments made by DP exit regulations under the European Union (Withdrawal) Act 2018. The DPA 2018 and PECR will continue to apply, alongside the GDPR and the regulator confirmed that there will be "some amendments to ensure they work in a UK-only context".
The FCA says firms should "generally ensure they maintain a record" of how and why they process, share and retain personal data.
In a statement, the FCA said: "Firms should also record the lawful basis for processing data. If they are processing data based on consent, they should maintain an effective audit trail of how and when consent was given.
"We will act where we identify breaches of relevant parts of the FCA Handbook. Firms that intend to transfer or receive personal client data must be able to demonstrate how they have considered the fair treatment of consumers and how their actions comply with data protection and privacy laws."
