Watch your data! Authorities clamping down on GDPR breaches, issuing massive fines
The magnitude of fines now being implemented by the UK authorities for GDPR breaches would be enough to see off any brokerage as the same tariffs apply to all sectors, and far outstrip the FCA’s fines
A month and a half ago, FinanceFeeds reported the full set of data issued by the UK Information Commissioner’s Office (ICO) as the first year in which the GDPR data protection regulations had completed, the purpose of the report being to reflect on the regulator’s experiences over the past year and share what it has learnt about the GDPR and its impact a year after its implementation.
As is often the case when new regulations are instigated in regions with a highly developed financial markets economy and a diversified industrial base such as the United Kingdom, the regulators have begun to step their auspices up considerably following publication of the first year’s outcomes.
As this week commences, the British authorities have begun to issue tremendously high fines to large companies, in what could be considered a high profile attempt to make an example of those which jeopardise data in order to ensure other companies toe the line.
In the FX and CFD business, GDPR is a huge consideration, not only in terms of internal CRM and transaction data, but also in terms of how customer data is handled when trade reporting is conducted under the MiFID II guidelines which require all execution data from all venues, brokerages and exchanges to be published to the regulatory authorities across Europe.
FinanceFeeds has spoken at length to many regulatory technology and reporting companies, all of which connect intrinsically to Amazon’s AWS cloud for data handling, purely because of AWS Cloud’s ability to comply with GDPR regulations.
Whilst the latest casualties of the long arm of the data protection regulator are not FX brokerages, the two fines, handed out in just under 24 hours, represent what could likely happen to a financial services company or electronic brokerage for non-compliance with GDPR regulations.
The ICO has now handed out out £238 million worth of fines to British Airways and hotel group Marriott International.
Given that, unlike in other areas of regulatory oversight, the ICO is responsible for administering penalties to all industry sectors regardless of their operations or type of business, these fines could be implemented upon large blue chip global companies, or onto a retail FX brokerage 100th of the size of the recipients of these recent fines, and is at liberty to apply the same tariffs.
Whilst many law firms in the City have recently stated that many responsible officers have become more vigilant about the handling of personal data since the GDPR regulations were introduced in May, and many have increased their resources in protecting data since the ICO released the ‘one year on’ report in May this year, there are still some degree of whistleblower reports taking place.
Whistleblowers are on the increase, too, with 175% increase in whistleblower reports to the ICO since May 2018 when GDPR was introduced.
Just to put the magnitude of the potential penalties into perspective, the two fines, issued in little more than 24 hours to Marriott and British Airways amount to more than three quarters of the total fines given by the Financial Conduct Authority (FCA) in the whole of the past year to all of the companies that it oversees. This is despite the fact the FCA has traditionally given far harsher fines than the ICO.
To put that into perspective, a balance sheet of over $50 million is required to maintain a prime brokerage relationship with a bank, a relationship which only approximately six entities in the entire global FX and OTC derivatives sector worldwide has, out of over 2,500 brokerages currently operational, demonstrating that a fine of £100 million to a single entity would see of pretty much any company in the brokerage business.
“GDPR has driven a cultural shift in how people perceive personal data and its value. More people now see it as part of their personal property, and they are more likely to act if they believe it is being misused” said Richard Breavington, Partner at RPC law firm in London.
“The ICO has shown that it is a regulator to be respected. The FCA had traditionally been thought to be among the tougher regulators in the UK, but the fines the ICO is levying are now on a different scale.”
“There were a lot of eyes on the ICO, waiting to see how it would use its new powers. Few foresaw it hitting a business with such a high fine at this stage” he said.
There are specialist companies in the electronic trading industry that are able to assist with ensuring compliance of GDPR, many of them being regulatory reporting specialists specific to our industry, thus it is worth taking this seriously.
