On February 8th, the Financial Conduct Authority (FCA) and Information Commissioner’s Office issued an update on the EU General Data Protection Regulation (GDPR).
What does the update say?
The update clarifies some questions regulated firms have raised with the FCA. It says that: ‘Firms have asked us about their ability to comply with both the GDPR and rules made by the FCA. We believe the GDPR does not impose requirements which are incompatible with the rules in the FCA Handbook.’
There they identified some of the requirements you’ll already be meeting, which give you a head-start on compliance – and some of the new demands which you’ll need to comply with.
The plus points:
- You already operate with some degree of rigour. Complying with FCA requirements gives you an understanding of working in a heavily-regulated environment – for example around accurate record-keeping, a big focus of the new regulation.
- Your culture (hopefully) already supports a compliant approach. The GDPR – as the update points out – ‘is now a board level responsibility’.
Firms are more likely to be compliant with existing FCA regulation if they have a culture where good behaviours are embedded.
- Some FCA requirements already support the principles of the new regulation. The update says that ‘there are a number of requirements that are common to the GDPR and the financial regulatory regime detailed in the Handbook’.
Requirements around suitability, producing financial promotions that are fair, clear and not misleading and desired consumer outcomes all align neatly with the GDPR’s aim of improving the customer experience.
- The GDPR has very specific requirements of its own that aren’t covered in existing regulation. Rules on consent; on opt-in; on data breaches.
Even if you meet your regulator’s current requirements, it’s likely you’ll have to up your data game in time for 25th May.
How will the FCA and ICO work together on the new data rules?
The update says that ‘While the ICO will regulate the GDPR, complying with the GDPR requirements is also something the FCA will consider under their rules’.
The financial regulator and the ICO say they will continue to collaborate in the coming months to address concerns raised by firms. They will revisit their existing Memorandum of Understanding to make sure it’s still fit for purpose in the new world.
What should firms be doing now?
One of the initial challenges with the GDPR was the lack of clarity around exactly what firms needed to do.
Last summer, the Information Commissioner’s Office published a series of blogs designed to increase this clarity and put a stop to some of the regulation’s ‘myths’.
The ICO’s microsite is another good source of information. It’s where any new updates are posted, and has useful downloadable tools. The What’s new page is a particularly useful summary of developments by date.
Whether you’re tackling the GDPR or making sure you’re up to speed with other compliance rules, contact us to find out how we could help
How can we help?