MiFID II and GDPR. Contradictory or meeting customer needs?

Businesses feel onerous demands are being placed on them by regulators and EU directives alike. But take a wider perspective and it soon becomes clear that the time for such regulations has indeed come, especially when information security breaches such as those of TalkTalk and Equifax hit our headlines and the risks to personal data breaches grow. Whilst discrete regulations, they both address the growing data needs of customers and other stakeholders.

At its heart, the core purpose of MiFID II is to enhance investor protection with improved governance and transparency requirements. GDPR’s core purpose is to benefit individuals – including those same investors – by giving them greater control over the personal data relating to them. For a firm an individual can be a client, an employee or any third party provider. GDPR also sets in stone the right for people to know how their data is being used and the right for any information to be deleted on the individual’s request.

Even so, whilst in financial services markets investors are the ultimate beneficiaries, firms are likely to be left facing a compliance headache as they try to balance the inherent contradictions between protecting investors under MiFID II with greater transparency about them and their activities on the one hand for regulators and acting in an appropriate manner in respect of the security and privacy of those investors’ data under GDPR on the other. What people often miss is that GDPR does not forbid the disclosure of customer information: it simply sets rules in place for the way in which this information is shared.

The tensions between the two can be summarised in the two key areas of data collection and record keeping:

Data collection: MiFID II requires the collection and retention of a large volume of client and counterparty information, including all electronic communications data. This data must be made available to regulators within 72 hours of a request. Conversely, GDPR introduces specific data subject rights around the erasure of data. It’s also worth remembering that the penalties of GDPR non-compliance are significantly tougher than those of MiFID II. GDPR fines are expected to reach up to 20 million euro or 4% of global turnover for the most significant areas of non-compliance.

Record keeping: Firms must be accountable for the personal data they hold and consider the purposes and period for which that data is retained. For example, under MiFID II, client email correspondence must be recorded and archived for up to five years, telephone calls for as long as seven years. GDPR states that organizations may only process data where there is a legitimate basis for doing so and document this accordingly.  The regulation also states that it is to be stored only for as long as necessary or within the statutory minimum retention periods specified by other legislation. An example of a contradiction between the two regulations is that if a client wishes to have data recorded about them deleted within the timeframe set down by MiFID II, the firm will not be compelled to comply.

An integrated data and technology policy is a key to moving forwards

It’s worth saying that these are most unlikely to be the last data regulations facing businesses! Technology has too often been focused on applying a single, point solution to problems immediately at hand – which has resulted in the current scattered and siloed state of much enterprise information management. So the good news is that firstly, reconciling both MiFID II and GDPR is not only a solvable problem, but that fixing it will benefit almost every department within an enterprise greatly, from accounting to customer service and beyond. Secondly, it prompts organisations to take a more integrated and holistic approach to data management and be better prepared for future regulations and directives. Thirdly, newer, more powerful technologies are available that can address the need for more integrated data management, provide competitive advantage for firms and also be designed to maximise future proofing.

A simple, outline data approach would include:

• Testing systems, processes and newly-implemented policies and procedures to confirm that they can comply with enhanced data subject rights and additional obligations under GDPR
• Mapping current as well as anticipated data client data flows
• Conducting a data audit to evaluate data lifecycle management within the organization.

Furthermore in larger organizations, once separate or ring-fenced teams will now be required to collaborate on a regular basis to ensure the collection and processing of data and the retention of records is conducted in a manner that is compliant with both GDPR and MiFID II going forward.

Complying with these mandates and riding the delicate balance between them, requires being able to gain total control over all data that your organization is generating. This includes not just transactional, ERP and other structured data, but also the even ‘bigger’ forms of Big Data being created through the exponentially growing list of communication channels like social media, IM and voice communication.

It might not feel like it at the time and they may in part seem contradictory, but rest assured that the headaches of successfully tackling MiFID II and GDPR are ultimately in the best interests of your customers!