Question? Call Us +44 330 122 8239

SMCR, GDPR, DPA2018 & DPIAs

Life ambition achieved! A document title with FOUR acronyms which probably mean little to most people!!!

A recent post on a Privacy forum asked about the dilemma of complying with both data protection legislation (GDPR, Data Protection Act 2018) and the Senior Managers & Certification Regime (SMCR).

The company concerned needed to balance the fitness & proprietary checks under SMCR with the need to document a lawful basis under GDPR and the Data Protection Act.

They planned to carry out DBS and credit checks, employment and business references, qualification checks, FCA register checks etc but was also looking at social media checks and wanted to make sure it was all documented appropriately.

Instinctively, they were working from the starting point that the SMCR regime makes it all ‘legal obligation’ but wanted a sense check.

How do references fit under GDPR?

In this instance, checking/referencing done in relation to something directly mentioned in the Form A would put some checks and referencing under a ‘legal obligation’ – those required to comply with the law.

So which of these checks are required?

The FCA handbook says a firm should:

  • ask the candidate to apply for a DBS and that the firm should have sight of it but that this does not need to be sent to them.

  • Conduct a search of the Financial Services Register (but does not mention that a copy of that search needs to be retained).

  • consider whether it should take additional steps to verify any information contained in an application ... or that it takes into account in its assessment

Unfortunately the FCA don’t explicitly say the firm must obtain a credit check and employment/business references.

The Firm declaration requires the firm to confirm
on the basis of due and diligent enquiry that the candidate is a fit and proper person to perform the controlled function(s) listed in section 3. The firm also believes, on the basis of due and diligent enquiry, that the candidate is competent to fulfil the duties required in the performance of such function(s).
i.e. the FCA requires the firm to carry out appropriate checks but does not expand on what they may be.

Further, the FCA only reserves the right to verify the information provdied by the candidate and the firm in their application – credit checks etc may be required but do not have to be made available to the FCA on application.

on the basis of due and diligent enquiry that the candidate is a fit and proper person to perform the controlled function(s) listed in section 3. The firm also believes, on the basis of due and diligent enquiry, that the candidate is competent to fulfil the duties required in the performance of such function(s).

 

i.e. the FCA requires the firm to carry out appropriate checks but does not expand on what they may be.

Further, the FCA only reserves the right to verify the information provdied by the candidate and the firm in their application – credit checks etc may be required but do not have to be made available to the FCA on application.

So what is the lawful basis under GDPR?

The FCA will say it is up to the firm to decide what is ‘due and diligent’ taking into account common practice etc.

To comply with GDPR, the ICO will say that anything the firm does needs to have a lawful basis and be necessary and proportionate.

Social media checks are very problematic under GDPR – do you just stick to publicly available profile information or risk being accused of snooping by looking at private profiles?

Who decides what sort of social media content impinges someone’s fitness and proprietary to perform a role? Are all roles the same in this respect?

Even putting aside social media checks – an existing employee can’t freely consent to checks like these but a prospective employee possibly can.

This means it is likely that more than one lawful basis of processing will need to be established and documented i.e. some checks will be under a legal obligation but others will need to have a different one (almost certainly not consent).

Most could potentially be argued to come under

processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

i.e. the employment contract or even

processing is necessary for the performance of a task carried out in the public interest

Public interest is a big driver of the SMCR and it is law the firm (the controller) is subject to but Part 2 – Chapter 2 – Section 8 of the DPA 2018 seems to rule that out.

Another option is legitimate interest – the firm’s legitimate interest in meeting its regulatory obligations and avoiding sanction, protecting its reputation with the public, the legitimate interest pursued by the firm and the FCA in protecting the public from fraudulent or criminal behaviour, dishonest or exploitative business practices etc.

This may be possible after a Legitimate Interest Assessment (LIA) which shows the steps being taken are necessary and proportionate to the interests pursued and not likely to be completely unexpected on the part of the data subject.

Prime candidate for a documented DPIA including consultation with staff, candidates, the FCA and the ICO.
Share on facebook
Share on twitter
Share on linkedin
Share on print
Share on email

Be in the know

You'll be the first to know about new events, information governance trends and tips to enhance the value of your data when you sign up for Fidabona emails.

Subscribe
Upcoming Events

2022 January

Week 5

Mon 27
Tue 28
Wed 29
Thu 30
Fri 31
Sat 1
Sun 2
Mon 3
Tue 4
Wed 5
Thu 6
Fri 7
Sat 8
Sun 9
Mon 10
Tue 11
Wed 12
Thu 13
Fri 14
Sat 15
Sun 16
Mon 17
Tue 18
Wed 19
Thu 20
Fri 21
Sat 22
Sun 23
Mon 24
Tue 25
Wed 26
Thu 27
Fri 28
Sat 29
Sun 30
Mon 31
Tue 1
Wed 2
Thu 3
Fri 4
Sat 5
Sun 6
  • No Events

  • No Events

  • No Events

  • No Events

  • No Events

  • No Events

Social media
jQuery(function($){ $(document).on('click','.elementor-location-popup a', function(event){ elementorProFrontend.modules.popup.closePopup( {}, event); }); });
@font-face { font-display: block; font-family: Roboto; src: url(https://assets.sendinblue.com/font/Roboto/Latin/normal/normal/7529907e9eaf8ebb5220c5f9850e3811.woff2) format("woff2"), url(https://assets.sendinblue.com/font/Roboto/Latin/normal/normal/25c678feafdc175a70922a116c9be3e7.woff) format("woff") } @font-face { font-display: fallback; font-family: Roboto; font-weight: 600; src: url(https://assets.sendinblue.com/font/Roboto/Latin/medium/normal/6e9caeeafb1f3491be3e32744bc30440.woff2) format("woff2"), url(https://assets.sendinblue.com/font/Roboto/Latin/medium/normal/71501f0d8d5aa95960f6475d5487d4c2.woff) format("woff") } @font-face { font-display: fallback; font-family: Roboto; font-weight: 700; src: url(https://assets.sendinblue.com/font/Roboto/Latin/bold/normal/3ef7cf158f310cf752d5ad08cd0e7e60.woff2) format("woff2"), url(https://assets.sendinblue.com/font/Roboto/Latin/bold/normal/ece3a1d82f18b60bcce0211725c476aa.woff) format("woff") } #sib-container input:-ms-input-placeholder { text-align: left; font-family: "Helvetica", sans-serif; color: #c0ccda; } #sib-container input::placeholder { text-align: left; font-family: "Helvetica", sans-serif; color: #c0ccda; } #sib-container textarea::placeholder { text-align: left; font-family: "Helvetica", sans-serif; color: #c0ccda; }
Your subscription could not be saved. Please try again.
Your subscription has been successful.

Newsletter

Subscribe to our newsletter and stay updated.

window.REQUIRED_CODE_ERROR_MESSAGE = 'Please choose a country code'; window.EMAIL_INVALID_MESSAGE = window.SMS_INVALID_MESSAGE = "The information provided is invalid. Please review the field format and try again."; window.REQUIRED_ERROR_MESSAGE = "This field cannot be left blank. "; window.GENERIC_INVALID_MESSAGE = "The information provided is invalid. Please review the field format and try again."; window.REQUIRED_MULTISELECT_MESSAGE = 'Please select at least 1 option'; window.translation = { common: { selectedList: '{quantity} list selected', selectedLists: '{quantity} lists selected' } }; var AUTOHIDE = Boolean(0);

We use Sendinblue as our marketing platform. By Clicking above to submit this form, you acknowledge that the information you provided will be transferred to Sendinblue for processing in accordance with their terms of use

jQuery(function($){ $(document).on('click','.elementor-location-popup a', function(event){ elementorProFrontend.modules.popup.closePopup( {}, event); }); });

Hooray!

We're excited you'd like to come along!

However, we need to tell you something important before you do:

How we use the personal data you provide when booking to attend an event.

In short, we ask for your name, email, the organisation you represent and phone number. For paid events we also collect billing information to process your order. We use this information to manage the event and your attendance by sending you email and SMS (if you provide a mobile number) confirmations and reminders about the event and any replays which are available. For some events we may invite you to complete optional surveys to either help us tailor the event beforehand or get feedback from you after the event is over.

The information you provide will be transferred to our Webinar platform provider where we use analytics to help measure the effectiveness of our webinars e.g. record whether you attend the event and how long you attended for. We also store your information in our CRM where it may be combined with publicly available information about you or the organisation you represent (such as that from LinkedIn or Companies House) and your communications with us. This combined picture will be used to help identify which of our services may be of interest to the organisation you represent; so, yes, we may market to you but only in your professional capacity and only in a targeted way once we know more about how our services may be of benefit to the organisation you represent. Above all, we promise to stop when you tell us to.

Please see our Website Privacy Notice for more information.

fidabona celebrates
Subscribe to get 15% discount