UK regulator pushing hard on GDPR compliance
GDPR compliance isn’t rocket science
The UK’s Financial Conduct Authority (FCA) and the Information Commissioners Office (ICO) are looking to get firms ready for the EU General Data Protection Regulation (GDPR).
The duo has published an update about GDPR as it comes into effect on 25 May 2018. The FCA sees it is a step forward in enhancing the privacy and security of personal data, and it will be regulated and enforced in the UK by the ICO.
Complying with some of the FCA’s rules requires financial services firms to process personal data. Firms have asked the FCA about their ability to comply with both the GDPR and rules made by the FCA.
In response, it says GDPR “does not impose requirements which are incompatible with the rules in the FCA handbook” and “there are a number of requirements that are common to the GDPR and the financial regulatory regime detailed in the handbook”.
The FCA adds compliance with GDPR is “now a board level responsibility”. Start earning your salaries folks! You get paid enough.
However, it recognises that there are still ongoing discussions to ensure specific details of the GDPR can be implemented consistently within the wider regulatory landscape.
The FCA and ICO say they are working closely together in preparation for the GDPR, and recently jointly hosted a GDPR roundtable with firms and industry bodies to listen to industry concerns. One example of how they are working together is innovation, where the ICO is providing tailored input to the FCA’s Innovation Hub.
Since 2014, the FCA and ICO have had a memorandum of understanding (MoU) in place, laying out their relationship and activities. Over the coming months, it will review the MoU to ensure it is still fit to address future collaboration.
While the ICO will regulate the GDPR, complying with the GDPR requirements is also something the FCA will consider under their rules, for example, the requirements in the Senior Management Arrangements, Systems and Controls (SYSC) module. As part of their obligations under SYSC, firms should establish, maintain and improve appropriate technology and cyber resilience systems and controls.
The hand holding isn’t over yet, as the FCA and ICO are prepared to address concerns firms raise and support firms’ preparations for the introduction of GDPR.
