[ N E W S
firms need to respond quickly and
robustly in order to demonstrate to
regulators that their processes are
solid,” commented Phillis.
Firms are reinforcing their data
security in anticipation of GDPR,
although cyber-protection has been
a long-standing area of concern
for organisations across the capital
markets, many of whom have
ratcheted up their IT infrastruc-
ture, implemented cybersecurity
processes and policies such as
mandatory encryption of sensitive
client information, and brought in
consultants to train staff on how to
avoid being hacked or phished.
Larger organisations are in the
midst of recruiting chief data
protection officers, a newly-creat-
ed position under GDPR for firms
with more than 250 staff. “Major
banks have employed chief infor-
mation security officers and data
protection officers for a long time
now, so this requirement is fairly
straightforward,” said Phillis.
Getting GDPR wrong is an
expensive mistake to make with
fines of up to €20 million or 4% of
annual turnover. The UK Finan-
cial Conduct Authority (FCA)
reminded financial institutions
in early February of their GDPR
obligations, adding there were no
conflicts of interests between the
“Getting GDPR wrong is
an expensive mistake
to make with fines of
up to €20 million or
4% of annual turnover.”
latest rules and FCA provisions
around data processing, an issue
which several organisations had
previously flagged.
Others feel there are arbitrages
elsewhere with GDPR. “There are
R E V I E W ]
some potential conflicts between
GDPR and other regulations.
MiFID II, for example, requires
financial institutions to record tele-
phone calls and hold that data for a
prescribed period of time, so mar-
rying that requirement with GDPR
could be tricky albeit not insur-
mountable. A key concern would
be an inability to provide for lee-
way outside the strict requirements
of the other legislation creating
obligations potentially conflicting
with GDPR,” said Browne.
A handful of experts have con-
templated whether Brexit could
delay or disrupt GDPR’s imple-
mentation in the UK. The answer
is clearly not, as the UK will still be
a member of the EU at the point of
GDPR’s go-live date, a point made
by Phillis. “There is unlikely to be
significant divergence in terms of
the UK’s application of GDPR and
the EU rules for the next 12 to 18
months,” she said.
Issue 55 // TheTradeNews.com // 15