With the GDPR, many firms are asking themselves what it may mean in terms of firms' ever-present reporting obligations.
Competing regulatory obligations:
Financial services firms must retain data for long periods for compliance with Mifid and to protect themselves from claims. For instance you must store and record communications that might result a transaction for five years, even where nothing has actually happened. But equally under GDPR you must ensure data is kept no longer than is necessary. How do you balance this off?
At first glance, common sense is king. But you need to record decisions made on data handling at all stages. But if it goes wrong, when do you tell the FCA about a breach?
First of all, all retail advisers understand their obligations to comply with Principle 11 by disclosing to the FCA appropriately anything relating to the firm of which the FCA would reasonably expect notice.
Secondly, under the GDPR, firms are obliged to report personal data breaches to the ICO. But you do not need to report where the data breach will not put individual “rights and freedoms†at risk. So in these cases just stick a note in your latest board pack or on the GDPR microsite on BAT. In all other cases the report must be made without undue delay and within 72 hours of the breach.
Thirdly, If the breach is "high risk" (of adverse effects to individuals' “rights and freedomsâ€), the firm must also tell the affected individuals as soon as possible. Not all personal data breaches need to be reported directly to individuals.
So in general terms, you don’t have an obligation to notify the FCA of all personal data breaches.
However, you would have to report where it is serious – back to that common sense thing, so elusive in regulatory financial services! And here are the definitions of serious….
As a final thought, you can expect the ICO to share information with the FCA….so you will need to take advice at that time.
charlie.palmer@ifac.eu