GDPR countdown: How do financial services strike the balance?

As part of HM Network’s regular series of GDPR countdown blogs, Director Martin McAleer explores the effect of the regulation updates on financial services companies.

Financial Service companies will be experiencing a double bout of regulation updates with Markets in Financial Instruments Directive II (MiFID II) coming into force in January 2018 and GDPR in May 2018. This makes a heady cocktail for any company to get right. While GDPR covers privacy, data retention and data security with a broad brush, it will be coupled with the MiFID’s requirements that all communications that could lead to a transaction should be recorded and stored in a secure way.

This includes conversations over a personal mobile phone and face-to-face meetings. MiFID II requires all conversations that could lead to a transaction to be recorded. So, while MiFID II will provide duty of care to record all conversations and correspondence in the interests of client advice and transparency, it will need to be balanced against GDPR’s focus on preventing potential intrusions into a client’s privacy. This brings in a potential conflict. MiFID II will require financial services companies to gather and retain more data about customer transactions than ever before, at the same time they need to take extra precautions around protecting their customers’ data. Most companies when GDPR comes into force will probably limit the amount of data they collect, rather than gather more. Unfortunately, financial services need to comply with both sets of regulations and it is their responsibility to know where the lines are drawn.

The line between GDPR and MiFID II is a still a little murky, For instance MiFID states that any recording should be stored for five years, GDPR is more ambiguous and simply states that personal data shouldn’t be kept for any longer than needed. The question could be, “Is five years too long for a simple telephone conversation that didn’t lead to a transaction, but it might have done?” When in doubt it is usually best to air on the side of caution and seek expert, professional advice to secure the business’s future. It is also good advice to make sure all relevant staff are fully aware of the responsibilities and obligations, backed up with regular training.

After all the most common reason for non compliance is human error. Putting in place systems that allow you to automate the collection, retention, minimisation and storage of data as much as possible is favoured, in our opinion. Separating work and personal equipment, phones, laptops/tablets for example, makes it easier to manage and comply with the regulations and automate as much as possible, while keeping any data that needs to be retained, as secure as possible.

There has been a lot of talk about the size of the new potential fines, especially under GDPR. However, the bigger issue for small and medium sized companies will be the damage to reputation and industry respect that will come with not being compliant.

For instance the big corporations that we all deal with, will almost certainly view smaller firms as a higher risk if they’re unable to demonstrate control over data processing and compliance with both MiFID II and GDPR. This means that smaller companies could find themselves out in the cold due to inaction. So, make a start now if you haven’t already, and if you need help and assistance please ask. Here are some resources to give you a start on GDPR and we also run free GDPRExpress sessions once a month around the North West. So there really is no excuse for inaction. GDPRexpress ICO Checklist The Practical Implications of MiFID II 

For news of our free upcoming GDPR awareness sessions and our “Social” events please see our eventbrite page http://www.hm-network.com/events/ If would like a further information on any of the areas discussed in this blog post or you want us to put you in touch with specialists who can provide training you can email us or call on 03333 444 190.