The Financial Conduct Authority and the Information Commissioner's Office of the UK recently issued a joint press release about the likely effects of the European Union's General Data Protection Regulation on the world of financial services. In this article, which takes the form of a question-and-answer session, we ask Linda Gibson, a compliance expert at Pershing, about the ramifications.

Q: What do you do at Pershing?

A: I head up Regulatory Change and Compliance Risk. We scan the horizon for everything in compliance that's coming through and then assess for impact and, importantly, the interplay between the regulations. I spent the last two years on MiFID II (the European Union's second Markets in Financial Instruments Directive) and am now joining our programme which is focused on the GDPR.

Q: The Information Commissioner recently published a series of 'mythbusting' articles on her website. What do you think of her comments?

A: It’s good news. The GDPR affects all firms, not just financial ones. It's the first major legislation that my firm has had to deal with in recent years that is not specific to financial firms. The ICO, which is the UK's data protection regulator, has said that they want to work with the financial services industry and their tone is educational and they are looking for firms to take a long-term approach to committing to data protection. They had a round table with the FCA and various trade associations including PIMFA, resulting in a joint FCA and ICO release outlining how they will work together, which is helpful for all regulated firms.

Q: Both regulators express their belief that the GDPR is not incompatible with the rules in the FCA's handbook. Do you share their belief?

A: We haven’t found anything incompatible. It’s all about approach. We tried to look for clashes between the GDPR and MiFID II (using a high-level approach) and found nothing. There is some crossover, of course: transaction reporting does now contain personal data and MiFID II says that you have to hold data for five years plus. Indeed, there are a number of requirements that are common to the GDPR and the financial regulatory regime detailed in the handbook. An important one relates to transparency, which is a key concept of MiFID, notably transparency for investors about how this data is being held. This is compatible with the FCA's aims (although not necessarily detailed in rules). Another key area could be to do with having the right controls in place, notably about how firms must process and embed data protection in systems and controls. MiFID is all about systems and controls, of course. Anything that the FCA has to do with data protection should all be in its systems-and-controls sourcebook or SYSC. And it’s worth noting that data protection regulation is not new – it’s being overhauled. Currently, if a firm were to experience a breach that impacts both SYSC and data protection, it will need to notify both the ICO and FCA. I think the ICO and FCA will look to see if there is a better way to manage this process, but we don’t expect the GDPR to lead to changes in the FCA’s rules.

Q: Is every financial firm obliged to appoint a data protection officer?

A: No, this is not a GDPR requirement. Reading between the lines, though, if a firm chooses not to appoint a data protection officer, I think it will need to demonstrate the decision making (to the ICO, primarily, rather than the FCA) and how it would deal with complaints and the other things that a DPO does. The moment of demonstration will occur when problems come and the ICO starts asking questions. Once the ICO finds that the company has done something wilful or negligent, the FCA might then come in secondarily and review whether there has been a breach of SYSC; the FCA is unlikely to come in before the ICO.

Q: The press release says that compliance with the GDPR is now a board-level responsibility. Is this according to the FCA or the ICO?

A: It's according to common sense. It also says that firms must be able to produce evidence to the ICO to demonstrate the steps that they have taken to comply. It’s not an ongoing reporting requirement, it’s just that you have to have that structure in place. Firms need to invest in GDPR compliance in the long term and that requires good governance and oversight.

Q: How are the FCA and ICO co-operating now?

A: The ICO is supporting input to the FCA sandbox [i.e. the 'light touch' regulatory zone in which fintech start-ups are allowed to begin operations]. Since 2014, they have also had a Memorandum of Understanding in place, which is very broad and contains a general commitment to co-operation.

* Linda Gibson can be reached at Pershing, a BNY Mellon firm, in London on +44 (0)20 7163 8000