The Financial Conduct Authority (FCA) and the Information Commissioner’s Office (ICO) has warned financial services firms that they will need to consider how the General Data Protection Regulation (GDPR) will apply to them, and ensure that they are ready to comply with the regulation.
While the ICO will regulate the GDPR, due to come into effect 25 May this year, complying with the GDPR requirements is also something the FCA said it will consider under their rules.
The joint statement, published on 8 February, indicated that firms must pay close attention to requirements in the senior management arrangements and the systems and controls (SYSC) module.
As part of their obligations under SYSC, the FCA and ICO said that firms should establish, maintain and improve appropriate technology and cyber resilience systems and controls.
In a statement, the FCA said: “Compliance with GDPR is now a board level responsibility, and firms must be able to produce evidence to demonstrate the steps that they have taken to comply. The requirement to treat customers fairly is also central to both data protection law and the current financial services regulatory framework.”
It added: “When the FCA makes rules, we take into account how our requirements will affect the privacy interests of individuals such as firms’ customers and employees. [...] However, we recognise that there are still ongoing discussions to ensure specific details of the GDPR can be implemented consistently within the wider regulatory landscape.”
