Financial firms preparing for the European Union’s General Data Protection Regulation (GDPR) need to make sure that their data collection and storage capabilities built out for MiFID II don’t affect their compliance with the new rules. Jon Szehofner, Partner at GD Financial Markets, a division of legal and professional services firm Gordon Dadds, discusses potential points of conflict between the two European regulations, and how a more holistic regulatory approach could mitigate these risks. This article is based on a recent podcast interview. Listen here.
The EU’s recently introduced Markets in Financial Instruments Directive (MiFID II) was a reaction to the global financial crisis, focused on investor protection and providing transparency around trading activities. GDPR, on the other hand, focuses on the protection of data rights of individuals who are EU citizens, whether or not they are domiciled in Europe.
Some observers see inherent contradictions in the two pieces of legislation. Article 16 of MiFID II, for example, which looks at records retention and making sure that firms are holding data that is required by regulators in the best interest of their clients, could seem at odds with Article 17 of GDPR, where individuals have the right to erasure of their data, where it is no longer needed, no longer processed, or consent has been removed. Many people are asking how those two pieces reconcile.
In principle, the regulations are intended to support each other rather than contradict. The Financial Conduct Authority (FCA) and the Information Commissioner’s Office (ICO), released a statement in February 2018 saying that the rules of GDPR are not incompatible with the rules in the FCA handbook, and that there will be ongoing coordination across the regulators.
It all comes down to the legal basis of processing. There will be data that firms need to hold and store, such as data being reported to regulators, or being used to monitor financial crime. Or it could be data that a firm needs in order to be able to fulfil other obligations, for example, a pension participant cannot suddenly request erasure of all their data, as the firm will need access to that participant’s information in order to do so.
The intention of GDPR is to have firms identify the data that they are holding and ensure that they are only using it for the original purposes as consented by the consumer. If a retail bank customer asks to have all their data removed, the institution response needs to be that they will delete anything that they do not need to process, but that there may be data they need to hold onto for various legal or regulatory reasons. However, if data is retained because of a regulatory requirement, that data cannot be then used for any other purpose, such as marketing or sharing with third parties.
The key is to have detailed knowledge of the data the firm holds and robust process and governance around understanding where that data is stored, how is it stored, and who has access to it.
Regulators may claim that the rules are not incompatible with each other, but one of the issues with the GDPR is that much of it is open to interpretation. The real test will come after implementation on May 25th, once firms need to start demonstrating compliance, and we start to see legal precedent around some of the clauses. It will indeed be useful if regulators do work together, so the industry can confront some of these issues collectively.
The Benefits of Taking a Holistic Approach to Regulatory Change
Firms can do more to prepare for the overlapping and conflicting requirements across the GDPR and other regulations. We all know that delivering regulatory change projects within organizations tends to be deadline driven, and as a consequence firms have been largely focused on delivering MiFID II, as that was the first deadline. Change teams then moved on to the GDPR and other regulations that have an impact on how data is managed, such as the Payment Services Directive 2(PSD2).
While taking an holistic approach to implementing regulation is difficult to achieve, firms would benefit at the requirements more holistically, to understand the It is very possible that as firms begin implementing the GDPR, they will discover that there is work that’s been done to deliver MiFID II, that potentially needs to be re-worked or undone because of some of the nuances and requirements in the GDPR. For example, they may have made system changes to comply with the reporting requirements of MiFID II, without thinking about some of the data aspects (retention and right to erasure) within the GDPR.
“It is very possible that as they begin implementing GDPR, firms will discover that there is work that’s been done to deliver MiFID II, that potentially needs to be re-worked or undone because of some of the nuances and requirements in GDPR.”
Some firms still haven’t fully understood how the GDPR will impact its business, and are only now starting to understand the scope of the requirements. Once they have done that there will be a substantial book of work to actually deliver those requirements. Other firms have been looking at GDPR for up to 24 months and have a mature program in place to deliver to the timelines. But even there, most firms will be working past the compliance date to deliver some of the requirements.
GDPR Implementation Will Be an Ongoing Process
The GDPR implementation does not start and end on May 25th. Firms have focused on delivering the highest priority items first, but there will still be much work to do on an ongoing basis after the initial deadline. They will have used a risk-based assessment to decide which areas to prioritise, and they will need to demonstrate proper governance and documentation around that decision-making process. In cases where firms have opted for tactical system enhancements in order to get to the compliance date, there could be an opportunity to revisit this further down the line, but alongside the requirements of other regulations.
Too often firms look at regulation from a pure compliance perspective and do not necessarily focus on the advantages it could bring to the business. For example, financial services firms are renowned for having a multitude of different systems, with customer data dispersed throughout an organisation. The GDPR has been an opportunity to revisit this infrastructure and potentially help move the firm a step closer to achieving a single customer view.
Building a single customer view would be one way to ensure compliance while also making the operational infrastructure more efficient. Investing in an infrastructure technology platform that allows the firm to bring all of that customer data into one place, and have as a result, confidence in the accuracy and completeness of the data they are holding for their clients would be really beneficial, adding value to the business as well as better enable firms to comply with future regulatory changes.
Penalties for non-compliance
One of the first things people want to know when discussing GDPR is what penalties they might face for non-compliance. In the worst-case scenario, they could face fines of 4% of global turnover for a significant breach or negligence. But the ICO is not looking to put firms out of business. It remains to be seen what the regulator’s approach will be, but if firms have taken a deliberative approach to complying with the GDPR and have implemented the right sort of data governance, process and technology in place, fines of that scale should be rare.
What the GDPR will do is help the relevant people within a firm get the budget and investment for improving controls and resilience around technology and how data is stored, because there is a fear that if there is a breach or an attack where data is stolen, leaked or lost, then the firm could be subject to fines of up to 4%. That has been quite a positive effect in helping firms improve their infrastructure.