What small businesses must know about GDPR and MiFID II

In just over a year a heady cocktail of European legislation will come into force: MiFID II and GDPR. Here, James Foley explores what small businesses need to know.

Any recording policies under MiFID II will need to be considered within the context of preventing potential intrusions into privacy

Any recording policies under MiFID II will need to be considered within the context of preventing potential intrusions into privacy

MiFID II (The Markets in Financial Instruments Directive) will be weaved into UK law from July 2017 and will demand immediate compliance from January 3rd 2018. It’s a weighty piece of regulation for the financial services industry and is applicable to anyone who provides services linked to financial instruments. So, even if you’re a lone IFA, you’re still duty bound to work within the new framework.

As a regulatory beast, it covers everything from pre-trade transparency requirements for organisations that trade in liquid shares to a narrowed list of execution-only products that companies can sell. Amid the mass of detail is a diktat that all communications that intend to lead to a transaction should be captured, recorded and stored in a secure way. This includes conversations over a personal mobile phone and face-to-face meetings.

We all know the saying, when it rains it pours. In March 2018, just as the legislation beds in, GDPR (General Data Protection Regulation) will make an entrance. GDPR promises to add serious muscle to the 1998 Data Protection Act by heavily penalising companies for failing to protect individuals’ data – meaning any recording policies under MiFID II will need to be considered within the context of preventing potential intrusions into privacy.

And herein lies the rub. On the one hand, financial services companies now need to hold more data about customer transactions than ever before, which will increase the likelihood of inadvertently mislaying it or leaking data. On the other hand, they need to be extra vigilant about protecting their customers’ data. With GDPR, they’d probably rather curtail the amount of data they collect, rather than amass more. Unfortunately this isn’t an option.

A rude awakening

Almost six months ago, SmallBusiness.co.uk reported that 82 per cent of companies either haven’t heard of GDPR or don’t understand its impact.

GDPR is on the radar for large businesses but is still an unknown quantity for many smaller firms – even though it applies to the full spectrum of commercial entities, including sole traders working from home.

In fact, the regulation expects all controllers to take a more proactive approach to data protection and privacy and contains many articles that apply equally, no matter the size of organisation.

Big corporate customers may even view smaller firms a higher risk if they’re unable to demonstrate control over data processing. Meaning small companies could be due a rude awakening. And failure to comply means a firm could be fined 4 per cent of its global turnover.

Navigating muddy waters

The overlap between GDPR and MiFID II is a tad muddy. MiFID states the recording should be stored for five years, GDPR is vaguer and simply states that personal data shouldn’t be kept for any longer than needed. Is five years too long for a simple telephone conversation that didn’t lead to a transaction (but might have done)? Where’s the assurance that the legislations dovetail properly, or whether the right hand even knows what the left hand is doing?

In an uncertain environment, a company should strive for absolute security. Avoiding a difficult situation is far better than firefighting one. Given that human error is the most common cause of mishaps, automating the recording and secure storage of data is really the only recourse.

Finding resilience in the cloud

Naturally audio files are very expensive and will eat through storage capacity in no time at all. Using a cloud-based voice recording solution that encrypts data in transit, as well as rest, is therefore very important and will give businesses access to an infrastructure which far exceeds their own, in terms of sophistication and impenetrability.

Finding a viable means of recording business calls on a device, without also capturing personal calls is also a pressing new requirement. The simple act of recording non-work related conversations, let alone listening to them, would infringe GDPR. However, there is now a means of providing a dedicated business number on any iOS or Android mobile number, so business and personal communications can be split.

Using a central repository or vault with access control, real time monitoring and robust service level guarantees is also paramount. This all sounds very intimidating but in reality, all a company needs is access to a cloud based app available from their employees’ smartphones, like Resilient’s.

Business as usual

Despite the solution’s simplicity, you might question whether compliance is necessary given most of the UK public voted for Brexit on 23rd June. Because the government is yet to trigger Article 50 and it will take a further two years to exit the EU, the FCA has confirmed that much of the UK regulation derived from EU legislation will remain applicable until the negotiations are finalised and enacted. Meanwhile, the Information Commissioner’s Officer (ICO) has confirmed that if the UK wishes to trade with the EU single market on equal terms, post Brexit, it will need to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s GDPR framework.

This means, companies will need to prepare for both pieces of legislation while ensuring nothing falls between the cracks. Telephony is small but a significant piece of the MiFID II regulation. Given that next year will fly by, I suggest making compliance your new year’s resolution.

James Foley is vice president of customer experience at Resilient

Further reading on data

Comments (0)