7.1 In this chapter, the term ‘data’ should be interpreted very broadly to include confidential, firm sensitive, and transactional data. It may also cover open source data (eg from social media) collected, analysed, and transferred for the purposes of providing financial services as well as the systems used to process, transfer, or store data. The expectations in this chapter apply to material outsourcing arrangements and other third party arrangements that involve the transfer of data with third parties in line with the EBA ICT GL. This chapter should also be interpreted consistently with requirements under data protection law.

7.2 Where a material outsourcing or third party agreement involves the transfer of or access to data, the PRA expects firms to define, document, and understand their and the service provider’s respective responsibilities in respect of that data and take appropriate measures to protect them.

7.3 Building on General Organisational Requirements 2.4 (banks) and Article 274(e) of the Solvency II Delegated Regulation, where a material outsourcing or third party agreement involves the transfer of data, the PRA expects firms to:

• classify relevant data based on their confidentiality and sensitivity;

• identify potential risks relating to the relevant data and their impact (legal, reputational, etc.);

• agree an appropriate level of data availability, confidentiality, and integrity; and