2018 is a big year for financial organizations in EU from a regulatory perspective, with MiFID II newly in force, and the GDPR coming into effect in less than a month. Both regulations deal with data archiving and management, and both have a significant impact on the way financial companies do business. However, while MiFID II seeks to shine greater light on business practices by encouraging data gathering, retention, and access, GDPR mandates stricter controls around the same activities.
The apparent conflict between the two most important EU-wide regulations has fueled industry fears of a headlong collision. Moreover, with hefty fines of GDPR that could go as high as 4% of global turnover, firms must now be able to strike a balance between these two significant pieces of legislation to ensure compliance.
MIFID II and GDPR: Assessing Readiness of Financial Firms
Before answering the question of whether MiFID II and GDPR truly have conflicting impact, a first look at the current state of readiness for these two sets of regulations is instructive. According to a recent report from American Banker, almost any firm that collects data on an EU citizen is subject to the GDPR. A recent study from Spiceworks reported that only 5% of UK and 2% of US and IT professionals believe that their firm is fully prepared for GDPR.
Regarding the MiFID II, firms are, so far, keeping up with the rollout timetable. Chris Hock, head of asset trading at Union Investment, said in an interview, “To be honest, it feels like business as usual.” “For me, it is a continuation of recent trends we’ve seen, and after running a multi-asset trading desk for two years now, we are running the business the same as we did before. In this context, we do not need the regulator to tell us what to do,” he added.
What we can derive from these statistics and experience from company leaders is that the turmoil that some pessimists predicted did not occur, fortunately, because many firms have done their homework. For the most part, the fear of apparent impending conflict between these two stems from the lack of intuitive understanding about their nuances – especially on recordkeeping requirements.
GDPR vs. MiFID II: The Right to Be Forgotten
Most of the concerns that MiFID II will clash with the impending GDPR center around the “right to be forgotten” which GDPR promise for data subjects (the term for anyone whose personal data has been collected).
However, contrary to what most organizations believe, the “right to be forgotten” of GDPR does not apply to trading records covered by MiFID II. Since these two regulations are drafted and are being implemented by EU, there should be no conflicting issues on how long financial organizations should retain data since they have established data retention standards which should prevent the collision between the two regulatory vehicles.
- MiFID II requires retention of data for a minimum of 5 years.
- GDPR requires financial firms to retain data they need as long as they need it.
When the business no longer needs the data, then it should be securely wiped, or anonymized if the company wish to retain it. Furthermore, GDPR also allows firms to hold data to defend any legal claims, which is crucial as the number of firms facing the threat of mis-selling allegations increases.
However, it is also important to note that GDPR provides data subjects with the right to stop companies – including financial firms – from using their detail for other purposes such as targeting them with new products and services.
GDPR vs. MiFID II: Visibility over Employees and Trade Conversations
Another possible area of concern for many companies is the potential conflict between the MiFID II requirement to record all types communications relating to trade – including SMS messages – and the GDPR prohibition on recording and storing employee personal conversations. Furthermore, it is still unresolved if said MiFID II requirement is justifiable regarding GDPR where the trade is not executed.
Recognizing these nuances is crucial for financial firms to understand how to concurrently observe these regulations. Firms need to look what classifies as trade-related conversation and the systems that they can employ to ensure that all relevant communications such as text messages and chats are captured and are available only to those authorized to have it.
To ensure such a feat, it is essential to have a system in place that would enable the company review and monitor trade-related conversations on both company-issued and BYOD devices.
TeleMessage is a global leader in enterprise mobile messaging solutions that offer robust and holistic mobile archiving platforms. Our Mobile Archiver is equipped with features that enable organizations to comply with both GDPR and MiFID II archiving requirements such as automatic deletion of records in case of a customer opt-out, data extraction and tagging, end-user notification in case of breach, and advanced data security options for maximum protection of customer data.
Visit our website today www.telemessage.com to learn how TeleMessage platforms can help you achieve compliance with the GDPR implementation next year.