top of page

Compliance update: A recap on policy, process and procedure

Policies are essentially principles, rules, and guidelines, which are formulated or adopted by an organisation in order to reach its long-term goals. They are a statement of intent and provide the declaration of what you will – and in some cases – won’t, do.

Meanwhile, a process is typically a visual way of depicting a top-level view of the tasks within the overall method of operations or delivery.

Finally, procedures operationalise the ‘how’ element of the policy. These are the detailed steps to follow when delivering service, responsibilities and policies in day-to-day running of the business.

Why is documentation so important?

Throughout the Financial Conduct Authority (FCA) handbook, we see wording such as ‘must establish, implement and maintain adequate policies and procedures’ and ‘must ensure that a customer is given appropriate information’.

If you don’t document your policies, processes and/or procedures, how can you evidence their very existence? Yes, you can talk about them – but no matter how eloquently you explain what you do and how you do it, without evidence, your explanation holds little sway with the FCA.

In the FCA handbook, there are numerous references to documentation. SYSC 9.1.1, for example, tells us ‘a firm must arrange for orderly records to be kept of its business and internal organisation, including all services and transactions undertaken.’ SYSC 9.1.4 confirms that records ‘should be capable of being reproduced in the English language on paper’.

My advice is to document what you do and do what you document. Personally, I’m a real fan of that mantra, because if it’s not documented it technically doesn’t exist.

It’s worth noting that being able to produce a plethora of documents and evidence doesn’t automatically make you compliant. However, an inability to evidence the paperwork makes it a difficult task to prove you are.

Evidentiary requirements are not solely reserved for the FCA either. But, following the standard requirements, will help you in all areas of the business, not just the FCA-regulated parts.

Accessing personal data without due cause

Although you may have access to data and records, you should not go snooping around personal information without good reason.

This isn’t new. It’s been enshrined in law for over 20 years, and Section 55 of DPA 1998 criminalised knowingly or recklessly obtaining, disclosing and procuring information without the consent of the data controller – as well as the sale of such content.

The provision was typically used to prosecute those who had accessed healthcare and financial records without a legitimate reason. Section 170 of DPA 2018 builds on this, and adds the offence of knowingly or recklessly retaining personal data – even if it’s lawfully obtained – without the consent of the data controller. However, there are some exceptions relating to crime prevention and detection.

Despite this, we continue to see enforcement action by the Information Commissioner's Office (ICO), as detailed in two recent prosecutions under DPA 1998 due to the date of the offences.

Case 1: A former administration assistant at a used car dealership was prosecuted for unlawfully obtaining the personal data of customers and other employees. She forwarded several work emails containing personal data of customers and colleagues to her personal email account in August 2017, weeks before resigning from her role. She was fined £200, and ordered to pay costs of £590 as well as a victim surcharge of £30.

Case 2: A former senior local government officer passed the personal information of rival job applicants to his partner, who had applied for a job at the council. Although he was not involved in the selection process due to his personal relationship, he accessed the recruitment system and emailed details of candidates to both himself and his partner.

Information included names, addresses, telephone numbers and CVs, plus referee contact details.

He resigned when the data breach was discovered and was fined £660, ordered to pay £713.75 costs and a victim surcharge of £66. Although his partner had initially been successful in her application, her employment was terminated on the basis of an invalid recruitment process.

The head of the ICO criminal investigations team said: “People expect their personal information will be treated with respect and privacy. Unfortunately, there are those who abuse their position of trust, and the ICO will take action against them for breaking data protection laws.”


bottom of page