"Consumer Duty requires us to monitor the consumer through the lifetime of the product and GDPR requires us to keep data accurate."
Many firms are struggling with storing vulnerability data due to the perceived conflict between FCA regulations and GDPR. A recent CII report highlighted this, with firms asking for more information from the FCA. We have also heard that some firms are avoiding collecting customer vulnerability data because they believe that the FCA’s fines will be less than those from the ICO. Let’s consider some of the concerns and how these can be overcome.
Firstly, this is not a new issue. Indeed, the FCA has recognised this and included a whole chapter on this topic in their paper Occasional Paper 8, which was published in February 2015.
Within the utilities sector and some large financial services firms, the basis for processing data maybe under SPI – Specific Public Interest – but, for the majority of financial services firms, the category of permission will be ‘explicit consent’. Simplistically, this means that the consumer must give their consent; this can be verbally, digitally or in writing. In our view, firms should keep a record of how and when this consent was provided, so it can be evidenced later.
When recording information about a customer’s vulnerabilities, it is important that this is factual, and not a subjective opinion. Since vulnerabilities are a combination of the consumer’s characteristics and the circumstances of the interaction with the firm, we recommend that these are stored separately. Also, because vulnerability is not binary – it’s a range – we recommend having a classification system to enable the recording of degrees of severity against each characteristic. Only then can data be stored in an objective and consistent manner and, when required to provide this to the consumer under subject access requests, only strictly factual data is provided.
We know that some firms use simpler vulnerability ‘flags’ and drop-down lists to record that someone is vulnerable. These require a lot of staff training to ensure that everyone uses identical assessment and identification criteria – otherwise the results are subjective, inconsistent and even opinionated – which is open to challenge under GDPR’s accuracy and integrity requirements.
Consumer Duty requires us to monitor the consumer through the lifetime of the product and GDPR requires us to keep data accurate. How often we need to refresh the data will depend on the product and the circumstances.
The challenge of storage limitation is more difficult for vulnerability data. Clearly, to meet the needs of identifying the consumer characteristics and determining any mitigating strategies means that a great deal needs to be understood and collected. The challenge is not to share all of this data amongst the whole firm. The best way to address this is to have a method of communicating vulnerability at different levels of detail. This way, the appropriate treatments and processes can be undertaken while limiting the sharing of any sensitive personal information.
Some firms believe that they only need to record the mitigating strategy – often referred to as ‘the need’. However, this approach is limited because multiple mitigating strategies are used for different treatments; typically there is more than one consumer characteristic that needs to be mitigated. Equally, circumstances may change over time – so it becomes important to understand the underlying characteristics when products and circumstances change.
Security wise, it’s clear that all data must be stored securely; especially as this is special category data, under GDPR. We recommend conforming to ISO 27001 as the minimum standard. If adding this data to existing systems, firms may need to update their data protection risk assessments to check if the systems are suitably protected for special category data.
How long data should be stored will vary with the product or service. Most consumers will forget – so we recommend that data is stored in line with the product or service. If this covers years, then the data is stored for years, but it will need to be refreshed periodically – and it’s easier to reconfirm the consumer’s consent when a refresh takes place.
Some firms propose using existing data, perhaps from credit reference agencies or open banking. Here the challenge is twofold – firstly, that these sources don’t cover all health and lifestyle issues and secondly, that explicit consent is typically required, so there is a need to contact the consumer directly anyway. There is also a risk in inferring a vulnerability from such data, along with the optics of effectively judging someone’s vulnerabilities behind their back.
To hold all this data securely needs systems – spreadsheets and similar are not sufficient. Firms have the option to build these systems themselves or to adopt the new VulnerabilityTech systems which are now on the market, such as the MorganAsh Resilience System (MARS). Firms should of course consult with their own data protection officer to ensure their customer vulnerability implementation is compliant.
