The Financial Conduct Authority (FCA) and Information Commissioner’s Office (ICO) have published a brief update on the upcoming EU General Data Protection Regulation (GDPR), addressing some issues raised by firms.
GDPR comes into effect in the United Kingdom on 25 May this year, however, firms apparently still need clarity about the new rules.
An Ipsos Mori January 2018 survey on GDPR showed about 38 per cent of businesses, and 44 per cent of charities, say they have heard about it.
Among those aware of GDPR, ‘just over a quarter of businesses and of charities made changes to their operations in response to GDPR’s introduction.’
Addressing questions about whether companies will be able to comply with both the GDPR and FCA rules, the watchdog said GDPR does not impose rules which are incompatible with those of its Handbook, but instead, the two have a number of requirements in common.
“While the ICO will regulate the GDPR, complying with the GDPR requirements is also something the FCA will consider under their rules, for example, the requirements in the Senior Management Arrangements, Systems and Controls (SYSC) module,” the FCA said, “as part of their obligations under SYSC, firms should establish, maintain and improve appropriate technology and cyber resilience systems and controls.”
Firms must also be able to produce evidence to demonstrate the steps that they have taken to comply, the FCA explained.
It also said that it would review a Memorandum of Understanding it has with the ICO, to ensure the agreement is still fit to address future collaboration.
“The FCA and ICO are working closely together in preparation for the GDPR, and recently jointly hosted a GDPR Roundtable with firms and industry bodies to listen to industry concerns. One example of how we are working together is innovation, where the ICO is providing tailored input to the FCA’s Innovation Hub,” said an FCA statement on Thursday.
Both organisations said they will seek to continue to jointly address concerns firms raise and support firms’ preparations for the introduction of GDPR.