Is there a Conflict between MiFID II and GDPR?
For regulated companies, few things are causing more anxiety than new dictates coming out of the EU, namely GDPR and MiFID II, which impose some of the most exacting rules on companies to date for information governance. These two pieces of legislation, taken individually, have companies on both sides of the pond scrambling to comply with guidelines for which many aren’t even close to being ready. However, when taken together, they may pose an even bigger challenge, in that the goals of MiFID II and GDPR can easily appear to be in conflict with each other!
On one hand, GDPR focuses on privacy and advances the rights of EU citizens to ensure that their personal information is only used for reasons that they have granted consent – and includes the ability for EU citizens to demand companies delete their personal data. On the other, MiFID II is about regulation designed to improve market transparency and efficiency, and requires that firms keep business records for at least five years, including client correspondence. Reporter Jess Nelson posed a question that sums up the apparent contradiction: “What would happen if a consumer asked to be forgotten by a company that then had a massive recall? How do you notify a forgotten individual?” Likewise, a financial services company may ask, “what happens when communications between our firm and a client that are required to be produced under MiFID II also include personal information about the client that is not related to our business”?
Companies aren’t ready for GDPR or MiFID II, much less the combination of the two
Before answering this question, it’s informative to look at the current state of readiness for these two sets of regulations, and the possible reasons behind organizations’ lack of preparedness to date. As American Banker reported, pretty much any firm, based anywhere in the world, that collects data on an EU citizen is subject to the law, whether or not they have an actual European business arm. Yet, a study from Spiceworks showed that only five percent of UK and two percent of U.S. and EU IT professionals believe their company is fully prepared for GDPR (added to that, only 40 percent of UK companies, 28 percent of EU companies and five percent of U.S. companies have even started to prepare). And when it comes to MiFID II, firms are apparently so far from being ready that FCA director Mark Steward essentially said that, for the time being, they’re going to decline to punish companies that at least show that they’re taking steps to be prepared (the implication being that fully enforcing the law would mean taking action against just about everyone, since almost no one is ready for it).
So far, we’ve created a pretty dire picture: firms are tasked with complying with two separate pieces of legislation that not only have standards that very few can currently meet, but also appear to offer competing directives that complicate the issue even further. If that sounds like something out of a chief compliance officer’s nightmare, don’t reach for the hyperventilation bag just yet. The reality is that the challenge to comply with GDPR or MiFID II, and the conflict between these two mandates, stems the lack of alignment between those that are defining requirements (in this case, regulatory and privacy – but add data security regulatory bodies as a third wheel) and the technologies designed to address those requirements. Technology tends to focused on applying a single, point solution to the problem immediately at hand – which has resulted in the current scattered and siloed state of enterprise information management in general. The good news is that it’s not only a solvable problem, but that fixing it will benefit almost every department within an enterprise greatly, from accounting to customer service and beyond.
Fixing enterprise information governance
Complying with these mandates, and riding the delicate balance between them, requires being able to gain total control over all data that your organization is generating. This of course includes not just transactional, ERP and other structured data, but also the even “bigger” form of Big Data being created through the exponentially growing list of communication channels like social media, IM and voice communication.
Bill Coffin of Compliance Week accurately described the current state of the data that organizations have been gathering over the years in disparate silos: “Quite a lot of organizations don’t know where some of that information is. They don’t have control over it. Many users may have been storing information in the cloud that may not be readily known to the IT or security department.” Clearly, fixing the problem requires an integrated approach to capturing, storing, archiving and then ultimately retrieving and analyzing data.
A blessing in disguise?
Setting aside for a moment GDPR and MiFID II, the confused state of enterprise information is a problem in and of itself, one that keeps companies from effectively working with their customers or planning future initiatives, and often makes them vulnerable to security breaches and data leakages. So, when you think about it, GDPR and MiFID II are really only prodding companies along to do something that they really ought to be doing for their own benefit: effectively managing their data.
So what are the fundamental pieces that companies need to have in place in order to not only comply with, but also to reconcile the apparent contradictions between GDPR and MiFID II? Read the next blog in this series.