Keeping Data Too Long Is a Compliance Breach. So Is Deleting It Too Soon.
Under UK GDPR Article 5, personal data must not be kept longer than necessary — but under SYSC 9, FCA records must be retained for defined minimum periods. Getting that balance wrong in either direction creates regulatory exposure. The ICO enforces the first. The FCA enforces the second. You need a policy that satisfies both simultaneously.
This ready-to-use Retention and Erasure Policy gives FCA-regulated firms a complete framework for managing the full data lifecycle — from classification and retention scheduling through to secure erasure, data subject rights, third-party processor obligations, and the governance structures required to demonstrate accountability under SM&CR.
Customise with your firm name. Implement across every business function immediately.
What's included: Four-category data classification framework (client, financial, communications, compliance) · Regulatory retention period mapping (SYSC 9, COBS, PRIN 2A, MLR 2017, CASS, MCOB, CONC, ICOBS) · Multi-requirement conflict resolution hierarchy · Data subject rights procedures (Articles 15–21 UK GDPR) · Consent management framework · Systematic erasure identification and review process · DoD 5220.22-M electronic erasure standards · Physical media destruction requirements · Regulatory hold and litigation preservation procedures · AES-256 encryption and access control standards · Third-party and appointed representative data obligations · SM&CR governance mapping (SMF1, SMF4, SMF16) · Three lines of defence model · KPIs and compliance monitoring framework · Data classification matrix · Retention schedule template · Sector-specific requirement mapping · Third-party processing checklist · Data breach response template · Product-level retention assessment form
Built for: Data Protection Officers, compliance officers, risk managers, operations teams, and compliance consultants across all FCA-regulated firms managing client records, personnel data, or regulatory documentation.
Keeping Data Too Long Is a Compliance Breach. So Is Deleting It Too Soon.
Under UK GDPR Article 5, personal data must not be kept longer than necessary — but under SYSC 9, FCA records must be retained for defined minimum periods. Getting that balance wrong in either direction creates regulatory exposure. The ICO enforces the first. The FCA enforces the second. You need a policy that satisfies both simultaneously.
This ready-to-use Retention and Erasure Policy gives FCA-regulated firms a complete framework for managing the full data lifecycle — from classification and retention scheduling through to secure erasure, data subject rights, third-party processor obligations, and the governance structures required to demonstrate accountability under SM&CR.
Customise with your firm name. Implement across every business function immediately.
What's included: Four-category data classification framework (client, financial, communications, compliance) · Regulatory retention period mapping (SYSC 9, COBS, PRIN 2A, MLR 2017, CASS, MCOB, CONC, ICOBS) · Multi-requirement conflict resolution hierarchy · Data subject rights procedures (Articles 15–21 UK GDPR) · Consent management framework · Systematic erasure identification and review process · DoD 5220.22-M electronic erasure standards · Physical media destruction requirements · Regulatory hold and litigation preservation procedures · AES-256 encryption and access control standards · Third-party and appointed representative data obligations · SM&CR governance mapping (SMF1, SMF4, SMF16) · Three lines of defence model · KPIs and compliance monitoring framework · Data classification matrix · Retention schedule template · Sector-specific requirement mapping · Third-party processing checklist · Data breach response template · Product-level retention assessment form
Built for: Data Protection Officers, compliance officers, risk managers, operations teams, and compliance consultants across all FCA-regulated firms managing client records, personnel data, or regulatory documentation.
Image 1 of 1
