GDPR and MiFID II – Clash or Opportunity?

Building a data management blueprint

This post was updated on 10.05.2021

The first half of 2018 saw two major legislative frameworks come into force, both within the European Union. In January that year, the revised Markets in Financial Instruments Directive (MiFID II) rolled out. Designed as part of financial industry reform legislation, MiFID II covered — and continues to cover — assets and professions in the EU’s financial services industry. A few months later, in May, the General Data Protection Regulation (GDPR) arrived, covering data protection and privacy in both the EU and European Economic Area, as well as the transfer of citizens’ personal data outside these two areas.

Both sets of rules provide a sturdy, but flexible framework that should dictate data management within a firm. Both reporting requirements are in-depth and mean that a range of data types must be aggregated in order to build reports. While MiFID II is most heavily focused on the financial markets, GDPR also impacts financial services when it comes to areas like the right to data erasure and right to be forgotten, as well as the potential impact of fines for regulatory infringements and data breaches.

Making trade communications searchable

In order to support trade reporting and best execution, firms must ensure that all trading communications made between regulated firms and clients are recorded and made searchable. This includes telephone calls, emails, documents, and any instant messaging platforms used as communication channels.

At face value, firms might consider the requirements to both gather and store data under MiFID II — including personal details of traders — to contradict GDPR guidelines, which are built around user privacy and limiting the processing of data. In short, GDPR appears to go against MiFID II by giving individuals the power over what firms are able to do involving their personal data.

One notable example of this is Article 16 of MiFID II, which ensures that firms hold records of communications that conclude or are designed to conclude, in a sale. This outwardly appears to clash with Article 17 of GDPR, regarding the erasure of data in certain contexts, also known as the right to be forgotten.

In fact, both sets of rules do not contradict one another, with GDPR providing clear, prescriptive instructions on areas like how to record, store, and keep data (voice included) with the best data hygiene practices. The regulation breaks into two distinct elements: one determining the legitimate use and ownership of data, and the other providing guidance on how data should be handled. As GDPR states, MiFID II represents a valid reason for the recording and storage of data under GDPR — or, as it phrases it in one of six conditions, “Recording is necessary for fulfilling a legal obligation to which the recorder is subject.”

Managing both forms of legislation

The interconnectedness of these two crucially important pieces of legislation means that any technology solutions must be able to help manage both. Firms that have adopted a siloed approach to data capture under MiFID II face serious problems if the MIFID II systems are not GDPR compliant. This creates big risks around security, privacy, and accessibility of data, along with data processing.

Instead, firms must approach MiFID II and GDPR as a single challenge, and develop or adopt solutions that can fulfill both sets of requirements. Using a truly hybrid technology model such as the ones developed by Shield — which provides granular access controls when it comes to classifying communications, mapping personal information, and creating custom data masking levels — can ensure communications are monitored securely and in compliance with all privacy regulations thereby reducing risk. Doing this in a way that is both automated and centralized makes it possible to see sequential flows of trading events in a way that can be easily reconstructed.

MiFID II and GDPR regulations and enforcement will only become more stringent. Neither set of rules is new anymore, meaning that there is zero excuses for failing to comply. If they haven’t already, firms must make sure that they take the right precautions now, rather than risk being caught short at a later date.