GDPR not at odds with FCA Handbook, say UK authorities

Out-Law News | 12 Feb 2018 | 3:27 pm | 1 min. read

New data protection laws are not at odds with regulatory requirements imposed on companies in the financial services sector, two UK authorities have said.

The Financial Conduct Authority (FCA) and Information Commissioner's Office (ICO) said some businesses had queried the point.

The UK's financial services companies are subject to sector-specific regulations for handling of customer data which are set out in the FCA's Handbook. The FCA is responsible for monitoring compliance and taking enforcement action where it identifies a breach of its rules.

The General Data Protection Regulation (GDPR) will apply to all organisations that process personal data, including the financial services industry, from 25 May. The ICO, the UK's data protection watchdog, will have powers under the GDPR to impose fines on non-compliant business – potentially up to 4% of their annual global turnover, or £17 million, whichever is highest.

"Firms have asked us about their ability to comply with both the GDPR and rules made by the FCA," the authorities said in a joint statement. "We believe the GDPR does not impose requirements which are incompatible with the rules in the FCA Handbook. Indeed, there are a number of requirements that are common to the GDPR and the financial regulatory regime detailed in the Handbook."

"Compliance with GDPR is now a board level responsibility, and firms must be able to produce evidence to demonstrate the steps that they have taken to comply. The requirement to treat customers fairly is also central to both data protection law and the current financial services regulatory framework. When the FCA makes rules, we take into account how our requirements will affect the privacy interests of individuals such as firms’ customers and employees, and are open and transparent on why we have made rules in the way that we have," it said.

"While the ICO will regulate the GDPR, complying with the GDPR requirements is also something the FCA will consider under their rules, for example, the requirements in the Senior Management Arrangements, Systems and Controls (SYSC) module. As part of their obligations under SYSC, firms should establish, maintain and improve appropriate technology and cyber resilience systems and controls," it said.

The FCA and ICO said they intend to revisit a 2014 agreement they both signed, which sets out a framework for cooperation between the authorities, to "ensure it is still fit to address future collaboration".