New GDPR update from FCA and ICO

GDPRLast week (8 February), the Financial Conduct Authority and Information Commissioners Office issued an update on the EU General Data Protection Regulation (GDPR). Here we summarise the update and lessons that Compliance teams can take from it.

Latest GDPR update clarifies the new requirements

The new announcement was designed to clear up some uncertainties around the new regulation, and to answer some questions that firms have raised with the regulator.

It says that:

‘Firms have asked us about their ability to comply with both the GDPR and rules made by the FCA. We believe the GDPR does not impose requirements which are incompatible with the rules in the FCA Handbook.’

The similarities between some of the requirements of the data protection regulation, and existing Authority rules, are something we have looked at before in GDPR for regulated firms – what do you need to know?

As an FCA-regulated firm, some of the rules you already need to follow will give you a head-start when it comes to compliance with the GDPR. But there are also some additional demands which you’ll need to understand and comply with.

You may have an advantage over unregulated firms because:

  • You already need to apply a certain amount of rigour in your processes. For instance, you have to comply with FCA requirements around record-keeping. Accurate records will be central to your ability to comply with the new regulation.
  • There is some overlap between the FCA requirements you already have to meet and the new regulation. The update says that ‘there are a number of requirements that are common to the GDPR and the financial regulatory regime detailed in the Handbook’.

For instance, you already need to follow guidance on suitability. Your financial promotions should be fair, clear and not misleading and support the FCA’s desired consumer outcomes These rules all align with the GDPR’s aim of improving the customer experience.

But you can’t assume that because you are FCA-regulated, you meet all the new requirements. Some of them are very specific, and aren’t part of existing regulation. For instance, rules about consent; opt-in; or the actions you’re required to take around any data breaches.

Even if you are compliant with current regulatory requirements, there are enhancements you will need to make before 25 May.

How do the FCA and ICO plan to work together on the new data rules?

The update says that ‘While the ICO will regulate the GDPR, complying with the requirements is also something the FCA will consider under their rules’.

The financial regulator and ICO plan to revisit their existing Memorandum of Understanding to make sure it’s still fit for purpose in the new world. And the two bodies will continue to collaborate in the coming months to address concerns raised by firms.

The lack of clarity around the new regulation, particularly in the early days, led to some uncertainty around what was needed. This prompted the Information Commissioner’s Office to publish a series of blogs addressing the regulation’s ‘myths’.

You can read a summary of the ICO’s myth-busting blogs in GDPR – sorting the myths from the reality and How to separate GDPR compliance myths from reality.

What should firms be doing now?

Firstly, make sure you fully understand the detail of the new requirements. Get up to speed by reading GDPR compliance – do you know everything you need to? and find out how to avoid potential GDPR pitfalls in your financial promotions.

You can also visit the ICO’s microsite, which provides another good source of information, with downloadable tools. The What’s new page gives a summary of developments by date.

The GDPR is just one of a raft of new regulations you need to content with in 2018. Alongside MiFID II, the IDD and the PRIIPs regulations, the Compliance team workload is heavier than ever.

You can update yourself on some key financial promotions compliance rules by downloading a copy of our Compliance Guide to Financial Promotions. The Guide is free, and you can read it here.

Nothing in this document should be treated as an authoritative statement of the law. Action should not be taken as a result of this document alone. We make no warranty and accept no responsibility for consequences arising from relying on this document.

New Call-to-action