Nothing has concentrated minds on the need to look after personal data diligently more than what some, such as David Lawton, formerly a UK Treasury official and FCA director, see as the “draconian” fines for breaches set out in the new General Data Protection Regulation (GDPR). This EU initiative, to be implemented on 25 May 2018, allows penalties of up to €20m or 4% of annual worldwide turnover to be imposed on an organisation failing to meet stringent new standards on handling individuals’ data.
Meanwhile, financial services firms have been simultaneously struggling to make sure that they are also compliant with the sector-specific Markets in Financial Instruments Directive II (MiFID II) regulations, which came into force on 3 January 2018.
Both originate from the EU, yet the two regulations have very different objectives. Among its requirements, MiFID II ensures financial services institutions can provide regulators with proper information about their dealings with clients. So, for example, a firm should be able to show a trail detailing all interactions with clients that result in an order and must make clear to regulators who is the underlying client in a transaction. Transaction data must be kept for at least five years. By contrast, GDPR ensures that an individual’s personal data is accurate, held securely and that it is strictly necessary that the data be held. It gives an individual the right to know what information is held on them and a ‘right to erasure’, in other words, to insist that old or irrelevant data is deleted.
On the face of it, MiFID II and GDPR seem to create conflicting responses among organisations. MiFID II would broadly seem to encourage financial services companies to hang on to data in case it is later deemed relevant during a lawsuit, for example. Whereas GDPR would argue for culling old data ruthlessly in case it creates a breach.
Richard Jefferies, a client manager at corporate IT consultancy firm Northdoor, which helps businesses handle large volumes of data, warns that little work has been done to reconcile the two EU initiatives. Rather, project implementation teams in banks and elsewhere have taken a siloed approach: those tasked with ensuring organisations were MiFID II compliant by January 2018 have had little inclination to think of GDPR compliance in May.
The FCA has sought to reassure the sector. In February it declared in a joint statement
with the Information Commissioner’s Office (ICO) that GDPR “does not impose requirements which are incompatible with the rules in the FCA Handbook”. Resorting to a double negative to explain its position has not gone unnoticed by the sector, as David, now managing director at professional services firm Alvarez & Marsal, says. And simultaneously, the FCA conceded: “We recognise that there are still ongoing discussions to ensure specific details of the GDPR can be implemented consistently within the wider regulatory landscape.” Significantly, the FCA does not own GDPR, an EU regulation for which it is not the relevant regulatory overseer and thus could not grant firms even temporary dispensation from it, should it want to, David explains.
"GDPR lets you collect data if you have a legitimate purpose to do so – for example, to comply with MiFID II”
Yet, David thinks the conflict is more apparent than real. He comments: “It’s not the case that the one, MiFID II, encourages transparency, while the other, GDPR, promotes privacy. GDPR lets you collect data if you have a legitimate purpose to do so – for example, to comply with MiFID II.”
So a firm that has designed an IT system simply for MiFID II compliance may well have to “unpick and rework it for GDPR”, David acknowledges, but there is no fundamental clash between the two regulations.
A solution to the problem
Both MiFID II and GDPR cover not only structured data such as spreadsheets, but so called unstructured data such as emails, phone calls, and even scribbled notes or social media banter. In this complex world where companies may hold data on a range of digital platforms from Skype to instant messaging apps plus, conceivably, some in hard copy, it may be hard to know precisely what information they hold or how to retrieve it. Here technology can help to identify and sort the data and help firms stay compliant.
With the advent of artificial intelligence and machine learning, technology can undertake the task of data mapping. An example of this is sorting through unstructured data such as a thicket of tens of thousands of emails sent to or from clients over months or years; information that could surface unexpectedly in a legal discovery process.
IT solutions can be put to work in the midst of an organisation’s so called ‘data estate’ to explain what information a firm has, map and classify it, and show how it may be retrieved – or deleted. It is even possible to give an assessment of how far off the organisation’s data governance is from full legal compliance. Worryingly, when Northdoor did this with a variety of firms recently, the average business scored a meagre two out of five stars, Richard says.
But he warns that IT has its limitations. “Some IT companies are pushing technology as the solution to the entire problem, as if putting a layer of technology on top of your company databases could sort out all the issues. But it has to be the other way around. You need to find the gaps in your systems and then use IT to fill them”.
Some practical principles can make life easier. Those whose data you hold must grant their consent – except when a company can demonstrate a business requirement to hold the information. Typically, a firm must hold data on clients – their date of birth, address and other personal details – so it does not need to request consent for that.
GDPR’s aim is not outright to discourage a company from holding data, rather the onus is on an organisation to demonstrate that it is reasonable for it to hold specific data, that it knows where the information is stored, that it is accurate and securely held and can be retrieved promptly. Even so, grey areas will inevitably emerge. Holding data on how prospective customers were first approached and what led up to them becoming full clients is mandatory. But what about the data held on potential clients, or people who have failed to become clients so far, but might do at some indeterminate time in the future?
It appears that neither the FCA (in respect to MiFID II) or the ICO (in respect to GDPR) will be expecting perfection from companies immediately the new regulations come into force; both have signalled that they will take a pragmatic approach to enforcement so long as firms show they are on a journey of improvement, says David. But, he warns, that does not mean that firms can stay relaxed. “The tensions will become most manifest when there is an actual data breach, say, with a cyber attack.” If a company is proved to have been non-compliant with GDPR after a highly publicised security breach, then the regulators may find themselves forced to take action.
No one should imagine that implementing MiFID II and GDPR is going to be straightforward, but an outright clash between them looks unlikely. Article 5 of GDPR says that you are permitted to hold the data necessary for the purposes for which it is processed. This includes holding data necessary to fulfil your other regulatory duties, such as complying with MiFID II.