Podcast: Recent FCA Statement on GDPR Compliance
In this Ropes & Gray podcast, asset management partner Eve Ellis and data, privacy and cybersecurity partner Rohan Massey discuss a recent press release from the FCA, the UK’s financial services regulator, in relation to the handling of client data.
Eve Ellis: Hello, and thank you for joining us today on this Ropes & Gray podcast. I'm Eve Ellis – I'm a partner in our asset management group, and I specialize in regulatory matters that impact asset managers. I'm delighted to be joined by Rohan Massey today, who is a partner in our data, privacy and cybersecurity group. On today's podcast, we're going to be covering a recent press release that the FCA issued in relation to handling of client data and associated obligations. Just to give listeners a little bit of background, this was a press release that the FCA, which is the UK’s regulatory authority in relation to the financial services industry, gave warning firms that are regulated by the FCA need to ensure that they comply with their obligations in relation to data and handling of client data. So to that end, Rohan, I supposed my first question to you is: Is it usual for the FCA to get involved in data issues?
Rohan Massey: Yes, Eve, it is. To start, the Information Commissioner's Office, the ICO, and the FCA do have in place a memorandum of understanding to cooperate with each other, in relation to issues coming out of data protection in financial services. Also, we've seen a previous memorandum like this where the FCA, the ICO and the Financial Services Compensation Scheme published a joint statement to insolvency practices actually, how they should work with personal data when dealing with insolvencies to ensure the processing of the data is lawful. So this is something we have seen before.
Eve Ellis: Thanks, that's really interesting. I suppose this particular press release covers a couple of areas, in particular, Brexit and consolidations. What do you think is the biggest priority for firms now who are looking at this?
Rohan Massey: Yes, it's an interesting one. Obviously, the FCA's looking at the economy as a whole. It's seeing the impacts, I think, both of COVID and of Brexit, and showing that the marketplace is going to be impacted by this. So we may see reorganizations, we may see mergers, and of course, we may see other transactions which will be cross border. For me, I think the biggest issue we have at the moment is Brexit. We are less than a month away from the end of the transition period. As we're speaking, we're still at a no deal, which means, especially with regard to data, we are going to see a shift in the regulation of international data flows, which will be very challenging for all organizations that work on an international basis when dealing with personal data.
Eve Ellis: I agree. Clearly COVID is having a significant, and will continue to have a significant, impact on the economy, and that is going to lead to consolidations. And equally, issues around Brexit certainly gives rise to a lot of things that people need to be thinking about at the moment. Particularly with an eye on consolidation, what issues do these raise for people?
Rohan Massey: From the Brexit perspective, let's think about it on an international basis. If you are consolidating and taking over or becoming part of a broader group, think about the data flows in and out of Europe. We know that data protection in Europe is protected. It can flow around the European Union on a free basis. But countries outside of the Europe Union must be able to show that they have adequate protection for the data once it leaves the Europe Union. So it's going to be important to that data coming out of the EU to the UK, for UK organizations to be able to show that they have in place adequate protection. Now, they could have that by getting customer's consents, they could have it by using standard contractual clauses, which are European blessed data protection contracts, but they're going to have to have something in place. The best position we could have is that the UK deems to be adequate by Europe, which means actually the data flows will flow to UK as they do today, but I think that's going to be a long shot. To date, 13 countries have been granted adequacy – Japan was the last one, and it took a couple of years to get that decision approved. We haven't even really started those negotiations yet, so unless there is a break from tradition and the UK is granted adequacy because it has been a member of the Union, we could have a significant delay until we get to adequacy. So organizations will have to have other means for making data transfers lawful.
Eve Ellis: Thanks Rohan, that's really interesting. I think what this press release does is clearly it is a great reminder to anyone that's regulated, particularly asset managers, of the rules that they need to comply with, particularly in the context of Brexit and consolidations. So I think this is a really helpful reminder. In addition, I think what it does is it emphasizes the importance that the FCA as a regulator places on these issues, and that if there’s a breach of rules under the data protection requirements, that also will lead to a breach of FCA rules if you are regulated by the FCA, and I think that's a really important point for people to bear in mind.
Rohan Massey: Eve, I entirely agree. I think one other thing to bear in mind, of course, is the active enforcement that we are seeing in the data protection area. Now, in the last 18 months, we've seen a number of multi-million pound fines for noncompliance in this area. We know that the ICO is an active regulator, we know that the European data protection authorities are active regulators – so there is a real and material risk here for organizations to ensure that they do take their data protection obligations very, very seriously and stay abreast of these changes as their businesses develop.
Eve Ellis: Well, thanks Rohan – thank you for joining me today and discussing this with me. And thank you to our listeners. For more information on what we've discussed today and other topics that you might be interested in, please visit our website at www.ropesgray.com. And of course, if you have any queries on anything that we have discussed, please don't hesitate to get in touch with either of us. You can also download our podcast using your usual download method of either Apple, Google and Spotify. Thank you very much.