This page contains a Flash digital edition of a book.
CCR2 GDPR


Continued co-operation


There are no contradictions between rules set in place by the FCA and the requirements of GDPR


Edited from a joint update published by the Financial Conduct Authority and the Information Commissioners Office


The Financial Conduct Authority (FCA) and the Information Commissioners Office (ICO) last month published an update on the EU General Data Protection Regulation (GDPR). The GDPR will apply in the UK from 25


May 2018. It is an essential step forward in enhancing the privacy and security of personal data. The GDPR will be regulated and enforced, in the UK, by the ICO.


No incompatibility Financial-services firms will need to consider how the GDPR will apply to them, and ensure that they are ready to comply with the regulations from May 2018. Complying with some of the FCA’s rules


requires financial-services firms to process personal data. Firms have asked us about their ability


to comply with both the GDPR and rules made by the FCA. We believe the GDPR does not impose requirements which are incompatible with the rules in the FCA Handbook. Indeed, there are some requirements that


are common to the GDPR and the financial regulatory regime detailed in the Handbook.


Board-level responsibility Compliance with GDPR is now a board- level responsibility, and firms must be able to produce evidence to demonstrate the steps that they have taken to comply. The requirement to treat customers fairly


is also central to both data-protection law and the current financial services regulatory framework. When the FCA makes rules, we take into


account how our requirements will affect the privacy interests of individuals such as firms’ customers and employees, and are open and transparent on why we have made rules in the way that we have.


March 2018 www.CCRMagazine.com 31 However, we recognise that there are still


ongoing discussions to ensure specific details of GDPR can be implemented consistently within the wider regulatory landscape. The FCA and ICO are working closely


together in preparation for the GDPR, and recently jointly hosted a GDPR Roundtable with firms and industry bodies to listen to industry concerns. One example of how we are working together is innovation, where the ICO is providing tailored input to the FCA’s Innovation Hub.


Memorandum of understanding Since 2014, the FCA and ICO have had a memorandum of understanding in place, laying out our relationship and demonstrating our commitment to co-operation and co-ordination in our activities. Over the coming months, we will review this, to ensure it is still fit to address future collaboration. While the ICO will regulate the GDPR,


We recognise that there are still ongoing discussions to ensure specific details of GDPR can be implemented consistently


complying with the GDPR requirements is something the FCA will consider under their rules, for example, the requirements in the Senior Management Arrangements, Systems and Controls (SYSC) module. As part of their obligations for SYSC, firms should establish, maintain, and improve proper technology and cyber-resilience systems and controls. The FCA and ICO will continue to


collaborate in the coming months to address concerns firms raise and support firms’ preparations for the introduction of the GDPR in May 2018. CCR2


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52