GDPR compliance now more important than ever for financial services firms

The Financial Conduct Authority (the FCA), the UK’s regulator of financial firms and the Information Commissioner’s Office (the ICO), the UK’s data protection watchdog, have signed an updated Memorandum of Understanding (MoU).

The FCA and the ICO first entered into an MoU in 2014 but this new updated MoU, entered into in February 2019, reflects legal and regulatory changes brought in by the GDPR and the Data Protection Act 2018 last year. It also outlines the intended future direction of the watchdogs’ relationship in areas of shared interest.

What is a MoU?

An MoU is an agreement between at least two parties which demonstrates a shared strategy or consensus on specific issues. Crucially, MoUs are not legally binding documents – they simply reflect the shared intentions of the parties. Therefore, the ICO and the FCA are not legally obliged to comply with the MoU.

Content of the MoU

The MoU provides for cooperation and sharing of information between the ICO and the FCA and will facilitate further collaboration and closer working between the regulators.

The main mutual obligations in relation to information sharing are as follows:

  • informing each other of possible breaches of legislation regulated by the other body discovered whilst performing their duties and offering further information where necessary;
  • entering into regular communication on areas of mutual concern and/or interest; and
  • where one regulator receives a request for information by a member of the public under freedom of information and data protection laws, asking the other regulator for their views where the requested information includes information provided by the other regulator.

The MoU also obliges the regulators to create rules or policies which implement the aims of the MoU and collaborate in relation to policies which have a significant impact on the other’s objective. Further, the MoU has provisions in relation to investigations and enforcement and the procedure to be followed in cases where both regulators have an interest.

Why is this important to financial services firms?

Financial services firms should be aware of the increased cooperation of its regulatory authority with the ICO. The information sharing provisions mean that any breaches of legislation discovered by one regulator will be disclosed to the other and that there will be an open dialogue between the regulators within areas of mutual governance.  The understanding reached by the FCA and the ICO in terms of how investigatory and enforcement powers are to be used will be of particular relevance to firms in the event of non-compliance.

This is not the first time that the ICO and FCA have collaborated on the GDPR. In February 2018, the regulators issued a joint update on the GDPR.

It is clear that the ICO now has more influence over the actions of the FCA and, therefore, data protection issues should be more important than ever for your organisation. The FCA has repeatedly emphasised the importance of data protection compliance to financial services firms.

If your organisation is within the financial services sector and has not yet taken action to ensure that it is compliant with the GDPR and the Data Protection Act 2018, you must take action now, especially in light of the penalties which may be imposed: 20 million euros or 4% of annual turnover, whichever is higher.

At MacRoberts, our experienced team can assist with ensuring your organisation is compliant with the GDPR and Data Protection Act 2018.

This article was co-written by Charlotte Fleming.

Latest updates from @MacRoberts