I’ve written quite a lot about the imminent GDPR and MiFID ii regulations which are coming into effect next year, and about how firms will require some fairly serious system refreshes if they are to comply properly. However, there is one specific element which is common across both pieces of regulation that could cause some serious headaches; Data retention.
It is going to be absolutely crucial for firms to have clearly defined and effective data retention policies and procedures in place, as MiFID ii stipulates that firms must record and retain all correspondence relating to trades, whether it is conducted by email, via the phone, text message, instant messenger, or even face to face. This data must be retained in a safe and secure environment, where it cannot be tampered with, and should be retrievable upon request. After 5 years, this data should be deleted.
Under GDPR, data retention is even more important, with the regulation stipulating that personal data should not be retained for longer than necessary, in relation to the purposes for which they were collected, or for which they are further processed. GDPR also states that data subjects have the right to be forgotten, in that they can request that their personal data be erased sooner than the end of the maximum data retention period.
Firms need to assess how they are storing the data whilst in their possession too and MiFID II extends existing MiFID rules that require records to be tamper proof, unchangeable and trackable. Under MiFID II, firms must ensure they have more than one copy of a record, to protect from technical or facility failures, that they demonstrate how records have been protected and made tamper proof and that all records should be encrypted when in transit and at rest.
So what are the best practices you should employ when looking at your firm’s data retention policies and procedures?
- Identify the minimum legal requirement for retaining data. For MiFID II it’s 5 years, but other regulations may require data to be retained for longer and GDPR requires personal data to be held for no longer than necessary for processing. You can’t just retain data indefinitely because it’s too complicated to work it out.
- Create a policy which outlines the protocol for retaining information for operational use. Review this policy when new systems and technologies are added to the IT estate, or the firm goes through a merger or acquisition, or in light of new regulations, such as MiFID II or GDPR in Europe.
- consider using a technology solution to manage the lifecycle of your data. Policies and parameters can be set to move information when and where it is needed.
- Ensure you have the ability to access the retained data. You could be asked to retrieve this to solve a dispute, provide proof to a regulator, or to fulfil a subject access request.
With many different drivers for data retention, and a number of regulations to meet, it is important that firms spend some time getting this right. Take advice from a data expert who understands your sector and the pressures that your business is experiencing, use technology to help you meet your legal requirements, and take away some of the pain of compliance.