February 9th, 2018 by Nick Railton-Edwards
Share this post

The FCA and the Information Commissioner’s Office (ICO) yesterday published a joint statement emphasising that non-compliance may result in both agencies knocking on the offending institution’s door. The update is short and worth reading in full; however, the main takeaways are summarised below for convenience:

  • The GDPR does not conflict with the FCA Handbook
  • GDPR compliance is a board level responsibility. Firms must be able to demonstrate steps to compliance
  • The FCA will work hand-in-hand with the ICO. Their existing MOU will be updated as needed.
  • The FCA will consider GDPR compliance under its own rules such as the its Senior Management Arrangements, Systems and Controls (SYSC) module

The strong implication is that a breach may not only trigger ICO fines, but also the FCAs wide range of sanctions. The GDPR, as regulated by the ICO in the UK, already confers extensive powers to fine, with the most serious contraventions costing up to EUR 20 million or 4% of global turnover (whichever is greater). To put this into perspective, TalkTalk’s 2016 fine of £400,000 would equate to £59m under the GDPR. If these numbers are not enough to concentrate board member’s minds, the additional threat of FCA action should suffice.

The GDPR comes into force on 25 May 2018[1].

 

[1] The EU have provided a handy clock for those who are hard of counting

Leave a Reply

You must be logged in to post a comment.

Subscribe to Blog Subscribe to our blog and receive email notification when there is a new entry.
Stay Up-To-Date

View Timeline

Memberships:

Copyright © 2018

Document Risk Solutions Ltd