We explain how and why we use personal data to carry out surveys, consultations and market research as part of our work as a regulator.
The personal data we use
When conducting our research work we try to keep our collection of personal data to a minimum. We use anonymised data as far as possible and only ask for personal data where we believe it is necessary for the purpose of the research exercise in question. An individual’s participation in surveys, consultations and market research activities is their choice, and if asked they may refuse to participate (save where participation is required by law).
The type of personal data that we typically use as part of our research is normally limited to contact details (of the person completing an FCA questionnaire or survey or responding to a consultation) and personal views and opinions of consumers and those who submit questionnaires, surveys and consultation responses to us.
Where we have your permission, we may use audio and / or video recordings for research, education and training. However, we remove any personal data associated with the recording material.
We also occasionally, where required for the purposes of a specific project, use financial information, dates of birth and location data as part of our research, which may be matched with other information we have access to. In addition, we sometimes require special category data to be provided for the purposes of a specific project. In these certain limited circumstances we may also receive the following special categories of personal data, although this is usually pseudonymised by us when used in research:
- information about a person’s sex life and sexual orientation
- information concerning a person’s health
- information concerning a person’s disability
- information concerning a person’s gender reassignment
- race or ethnicity
How we collect this personal data
We collect personal data in a variety of ways in order to conduct our research. In order to get a holistic and accurate view of the markets, understand consumer behaviour and properly identify issues, trends and risks, we collect personal data from third parties as well as from individuals directly.
Below are some examples of how and from where we collect personal data for this purpose:
- questionnaires and surveys issued to targeted individuals by us and by our third-party research providers
- social media analytics tools which gather information from more than 20,000 data sources (such as Twitter, Facebook, blogs, forums and mainstream media) to analyse real-time consumer opinions
- data collection and public consultation papers for market studies (examples of our recent market studies include the Asset Management Market Study, Investment and Corporate Banking Market Study, Cash Saving Market Study, Credit Cards Market Study, Retirement Income Market Study and Mortgages Market Study – all of which are published on our website)
- data extracted from our in-house systems which hold information collected by us from regulated firms (such as Gabriel) and individuals during our authorisation process
- due diligence checks on regulated individuals and firms and other organisations across various relevant third-party databases
- ad hoc requests for data from regulated firms and individuals and from credit reference agencies
- data gathered from publicly available websites, including through the use of automated tools (eg web scraping)
Why we use this personal data
We use this personal data to ensure that we are able to fulfil our statutory functions and, in particular, to help us:
- understand how well the markets are functioning, including monitoring of market developments posing potential risks to our objectives
- identify areas of concern, inform our strategic thinking as a regulator and help us decide if we need to make new rules, change existing rules or publish guidance
- manage and prioritise decision making within the FCA in a way which reacts appropriately to emerging risks and trends
- build strong relationships with consumer groups, the industry, media and stakeholders to reflect our accountability to Parliament, enrich our insight, enhance are credibility and maximise our usefulness to the public
- effectively analysing and monitoring progress of diversity and inclusion within regulated firms
The lawful basis for us using this personal data
We use this personal data under Article 6(1)(e) of the UK GDPR (it is necessary for the performance of a task carried out in the public interest) and Section 8(c) of the DPA 2018.
Since some of these activities are entirely optional for an individual’s participation, Article 6(1)(e) would not be the appropriate lawful basis to rely on alone for processing in certain scenarios. In these circumstances, we also obtain appropriate consent from the individuals who participate in such activities, under the UK GDPR Article 6(1)(a) and/or Article 9(2)(a).
Our research work is essential to enable us to understand the firms and markets that we regulate and to carry out effectively our statutory functions as a regulator of financial conduct and the related firms and markets. To the extent that we use any special categories of data in our research work, we do so under Article 9(2)(g) of the UK GDPR (it is necessary for reasons of substantial public interest), or Article (9)(2)(a) of the UK GPDR (explicit consent), and Section 10(3) of the DPA 2018, in that it meets a condition in Part 2 of Schedule 1 of the DPA 2018 and we have an appropriate policy document covering this processing activity.
Different rules apply to the processing of personal data for certain research and statistical work under the UK GDPR and the DPA 2018. This means that as long as we ensure that appropriate safeguards are in place, including adopting technical and organisational measures (such as, where possible, pseudonymisation techniques), we are entitled to use for research or statistical purposes information that we have already collected from you for a different purpose (such as, during the authorisations process). We would not use personal data in this way if it was likely to cause substantial damage or distress to individuals. We also do not use this research or statistical data to make decisions about or take measures against particular individuals. All our research work is done by us in the public interest.
The rules about research and statistical work in the UK GDPR and the DPA 2018 also mean that certain rights that you may have in respect of your personal data under the GDPR (such as the right to restrict or object to processing activity) may not apply to the personal data that we use about you as part of our research work. If you would like more information about this, please contact us.
When this personal data is transferred outside the UK and the EU
It is rare for us to transfer personal data collected as part of a research exercise outside the EU. However, as mentioned above, given our role as a regulator we occasionally share personal data with regulators, public authorities and law enforcement agencies outside the EU.
We regularly use third-party research agencies, data analytics tools and other third party suppliers to help us with our research work. Some of these third parties transfer data outside the EU in their provision of services to us.
Before we transfer personal data outside the EU, we have robust processes to ensure that appropriate safeguards are put in place to protect any personal data included in such as transfer. If you would like to obtain more details about the safeguards that we have in place with regard to any personal data about you that we may transfer to a particular non-EU country, please contact us.
Learn about your rights
Under the UK GDPR, individuals have a number of rights relating to their personal data. Read more about your rights and how to exercise them.