On February 8, the UK Financial Conduct Authority (FCA) and the UK Information Commissioner’s Office (ICO) published a joint statement on the EU General Data Protection Regulation (GDPR).
GDPR will go into effect in the UK on May 25. The GDPR is designed to strengthen the rules governing data protection across the European Union and will be regulated and enforced in the UK by the ICO, as part of its continuing mandate for the responsibility of data protection regulation.
The FCA believes that the GDPR does not impose any requirements that are incompatible with the rules already detailed in the FCA Handbook.
The FCA goes on to state that compliance with GDPR is now a board-level responsibility, and firms must be able to produce evidence to demonstrate the steps that they have taken to comply. The requirement to treat customers fairly is also central to both data protection law and the current financial services regulatory framework.
While it is the ICO that will regulate the GDPR, the FCA notes that complying with the GDPR requirements also is something the FCA will consider under their Senior Management Arrangements, Systems and Controls (SYSC) rules. As part of their obligations under SYSC, firms should establish, maintain and improve appropriate technology and cyber resilience systems and controls.
The FCA acknowledges in the statement, however, that there are still ongoing discussions to ensure specific details of the GDPR can be implemented consistently within the wider regulatory landscape. Discussions also are ongoing relating to the UK’s Data Protection Bill, which is progressing through Parliament. Although the GDPR directly impacts EU Member States, the GDPR also gives Member States limited opportunities to make provisions for how it applies in their country, and, therefore, the Data Protection Bill is required in the UK. As an aside, this scope for Member States to make additional provisions means that data protection rules across the European Union could vary slightly.
The statement indicates that the FCA and ICO are working closely together in preparation for the GDPR and, since 2014, the FCA and ICO have had a Memorandum of Understanding in place, laying out the formal relationship for the cooperation and coordination of their activities.
The statement is available here.