Professional services firms, by their nature, hold quantities of sensitive personal data within their client records. Accurate record-keeping and file retention is a crucial element of good business practice and risk management. It allows firms to defend themselves against claims of professional negligence and, consequently, allows firms to present themselves as low-risk when obtaining and maintaining Professional Indemnity Insurance (PII).
The dynamic between file retention and (PII) is the latest source of uncertainty created by the imminent EU General Data Protection Regulation (GDPR). The regulation introduces a new right to erasure (or "right to be forgotten"), which will, in some circumstances, allow individuals to require organisations to delete personal data relating to them without undue delay.
It has been suggested that if forced to delete client data, firms seeking PII face increased premiums, or difficulties in obtaining or retaining cover altogether. With this in mind, how can professional services firms reconcile this new data subject right and their regulatory record-keeping requirements?
First and foremost, firms should be aware that the right to erasure is not absolute; the right will only apply if certain conditions are met. Above all, firms must always consider whether there are legitimate grounds for the retention of data, and be ready to demonstrate that file retention is necessary and equates to a legitimate ground which overrides the right to erasure of the data subject. Consider how you would explain your firm's rationale if challenged by the regulator, the Information Commissioner, or a judge in court. While the assessment will vary from one organisation to the next, so long as the grounds are lawful and justifiable, the right to erasure may not arise.
Furthermore, exemptions are available, for example, if processing is necessary for compliance with a legal obligation or required for the defence of legal claims.
The former exemption, though seemingly helpful, will not necessarily assist. If regulatory obligations were considered a legal requirement, a specific obligation to maintain files would be required and not merely an obligation to maintain PII, which itself required record retention. The Solicitors Regulation Authority, for instance, advises client files should not be destroyed for a period of at least six years, but guidance will not be as clear-cut in all industries.
Review and update
The better prospect likely lies in the latter exemption; although GDPR does not provide guidance as to whether this extends to the defence of future claims. The limitation period for professional negligence claims is 15 years – firms cannot guarantee that a client will not claim until that date passes.
On a practical level, firms should review and update data retention policies to define the legal and regulatory reasons for retaining categories of personal data for specified periods of time, consider the conditions of their PII policies (seeking legal advice as necessary) and keep an eye out for guidance from the ICO or from the EU and its working parties.