GDPR and MiFID II – clash or opportunity?shieldadmin
By Shiran Weitzman, CEO, Shield Financial Compliance
Building a data management blueprint
Compliance teams who are able to bring the upcoming General Data Protection Regulation (GDPR) together with the revised Markets in Financial Instruments Directive (MiFID II) will provide a sturdy yet flexible framework for data management within their firm.
MiFID II’s reporting requirements are notorious, for the breadth and depth of data they require firms to collect. The scale of the problem is characterised by the range of data types that need to be aggregated to build reports, the technical challenges that the process entails and the different risks that are created as a consequence of managing data. To support trade reporting and best execution, all trading communications between regulated firms and their clients – including telephone calls, emails, documents and instant messaging – need to be recorded and their contents searchable.
Implementation of reporting has proven difficult; reporting of equity trading data to the European Securities and Markets Authority (ESMA) was so limited at first that the supervisor delayed the imposition of volume caps on dark trading by three months, because it had such meagre information.
Under the GDPR, which comes into effect in May 2018, data management will come into sharper focus for all firms. It sets out very specific requirements for firms who gather and process personal data.
At first glance, a firm may consider the requirement to gather and store data under MiFID II – which includes the personal details of traders – to stand in contrast with the very prescriptive GDPR rules, which carry requirements to limit the processing of data and sets out protections of that data.
However, businesses working under both regimes should take heart. Far from contrasting with the aims of MiFID II, the rigor that GDPR provides when managing data will in fact support a firm in its approach to handling personal data. GDPR gives clear, prescriptive instruction on how to record, store and keep data, including voice.
The regulation can be broken into two elements; determining legitimate use and ownership for data; and guidance on the way that data should be handled. MiFID II is a valid reason for recording and storing data under GDPR, as ‘Recording is necessary for fulfilling a legal requirement’, the third of six conditions where call recording is deemed lawful under GDPR.
That mitigates concerns about the validity of collection of data for MiFID II complaint firms. One challenging area may exist amongst asset managers that are not considered investment firms under MiFID II; if the obligation to record only comes into play when they are dealing with a MiFID II complaint counterparty, they may need to exercise recording on a discriminatory basis, in turn requiring that they understanding their counterparty’s status.
GDPR determines how firms must then protect and process data, for example in proving how it will prevent a data breach and data leakage, and how to store the data.
The interconnectedness of these two pieces of legislation means that any technology solutions employed to manage one, must at least in part help to manage both. This means that firms who have adopted a siloed approach to data capture under MiFID II face a serious risk that either GDPR requirements will have to be duplicated across those siloes, or the MIFID II systems will not be GDPR compliant, creating risks around security, privacy, and accessibility of data along with data processing.
Approaching MiFID II and GDPR as a single challenge allows a firm to create efficiency and confidence in its approach to secure data gathering and processing. Using a holistic technology model to underpin this creates the potential for automated and centralised data aggregation, tagging and correlation, in order to form a sequential flow of related events that can be easily reconstructed.