Is there a Conflict between MiFID II and GDPR?
For regulated companies, few things are causing more anxiety than new dictates coming out of the EU, namely GDPR and MiFID II, which impose some of the most exacting rules on companies to date for information governance. These two pieces of legislation, taken individually, have companies on both sides of the pond scrambling to comply with guidelines for which many aren’t even close to being ready. However, when taken together, they may pose an even bigger challenge, in that the goals of MiFID II and GDPR can easily appear to be in conflict with each other!
On one hand, GDPR focuses on privacy and advances the rights of EU citizens to ensure that their personal information is only used for reasons that they have granted consent – and includes the ability for EU citizens to demand companies delete their personal data. On the other, MiFID II is about regulation designed to improve market transparency and efficiency, and requires that firms keep business records for at least five years, including client correspondence. Reporter Jess Nelson posed a question that sums up the apparent contradiction: “What would happen if a consumer asked to be forgotten by a company that then had a massive recall? How do you notify a forgotten individual?” Likewise, a financial services company may ask, “what happens when communications between our firm and a client that are required to be produced under MiFID II also include personal information about the client that is not related to our business”?
Companies aren’t ready for GDPR or MiFID II, much less the combination of the two
So far, we’ve created a pretty dire picture: firms are tasked with complying with two separate pieces of legislation that not only have standards that very few can currently meet, but also appear to offer competing directives that complicate the issue even further. If that sounds like something out of a chief compliance officer’s nightmare, don’t reach for the hyperventilation bag just yet. The reality is that the challenge to comply with GDPR or MiFID II, and the conflict between these two mandates, stems the lack of alignment between those that are defining requirements (in this case, regulatory and privacy – but add data security regulatory bodies as a third wheel) and the technologies designed to address those requirements. Technology tends to focused on applying a single, point solution to the problem immediately at hand – which has resulted in the current scattered and siloed state of enterprise information management in general. The good news is that it’s not only a solvable problem, but that fixing it will benefit almost every department within an enterprise greatly, from accounting to customer service and beyond.
Fixing enterprise information governance
Bill Coffin of Compliance Week accurately described the current state of the data that organizations have been gathering over the years in disparate silos: “Quite a lot of organizations don’t know where some of that information is. They don’t have control over it. Many users may have been storing information in the cloud that may not be readily known to the IT or security department.” Clearly, fixing the problem requires an integrated approach to capturing, storing, archiving and then ultimately retrieving and analyzing data.
A blessing in disguise?
So what are the fundamental pieces that companies need to have in place in order to not only comply with, but also to reconcile the apparent contradictions between GDPR and MiFID II? Read the next blog in this series.