In the United Kingdom, the Financial Conduct Authority (FCA) and the Information Commissioner’s Office (ICO) have made a joint statement regarding the implementation of the General Data Protection Regulation (GDPR), on May 25 2018.
The statement covered the fact that the implementation and enforcement of GDPR will be undertaken by the ICO, in the UK. The ICO will be responsible for establishing if businesses and organisations are compliant. It will also be responsible for imposing sanctions, if a lack of compliance is established. This includes deciding on the level of fines to impose. Each Data Protection Authority has the ability to do this, although they are expected to consult with each other and consider guidance provided by the Article 29 Working Party.
The joint statement also highlighted the fact that financial services organisations will need to understand how GDPR applies to them, and what they need to do to ensure compliance. This is where the FCA becomes involved.
Complying with GDPR and FCA Rules
In the statement, the FCA addressed the questions it had received regarding maintaining compliance with its guidelines and GDPR, at the same time. The FCA stated that its belief, that the stipulations of GDPR do not prevent compliance with FDA guidelines; in fact, much of the content is common to the two sets of rules. This should mean that financial services should not face having to deal with conflicting regulations.
The FCA also confirmed that all of its rules are made with fairness and transparency in mind and are created to comply with data protection law. This law is now regulated under GDPR. Compliance is required at boardroom level with every business and organisation not only being required to comply but also being required to provide documentary proof of compliance. If this documentary proof is not available, a business or organisation can be found to be in breach of the law and could face the imposition of a fine.
As part of the statement, both the FCA and ICO did recognise that there was still work to be done to make sure that each individual aspect of GDPR could be implemented alongside current regulatory frameworks. Both parties stated that they will work together to ensure that this happens, while listening to the concerns of businesses and organisations. An example of this which was given is the input provided by the ICO to the FCA’s Innovation Hub.
This collaboration is set to continue as GDPR is implemented throughout the UK. The collaboration is a necessity, in order to ensure that regulations do not contradict each other. The aim of all of those involved in ensuring compliance with GDPR and FCA guidelines should be to ensure that businesses and organisations are following all of the necessary steps to ensure that the personal data of individuals is processed securely and with the rights and freedoms of the individual in mind.