There has been much general discussion on the Global Data Protection Regulation(GDPR) since the last post on the topic (see here). The rules start to apply in May and are keeping many companies busy, covering a wide scope of activity.
In the UK, last month the FCA and Information Commissioner’s Office (ICO) published this statement discussing the possible overlaps between the rules. The statement declares that “We believe the GDPR does not impose requirements which are incompatible with the rules in the FCA Handbook.” . It does state elsewhere however that “we recognise that there are still ongoing discussions to ensure specific details of the GDPR can be implemented consistently within the wider regulatory landscape.”
This article on the Euromoney web site discusses the statement, and the possible contradictions with the MiFID II requirements. For example, MiFID II Transaction Reporting requires that personal data sometimes be transmitted. In addition, record keeping requirements about clients or personnel may conflict with the “right to be forgotten” and other parts of GDPR. This article on the Practice Insights web site looks at some solutions to the reporting problem using anonymous tokens. Suggestions around how regulators should approach conflicting requirements are found in this article by Stuart McClymont of JDX, found on The OTC Space site.
Most market participants in energy and commodities are not Investment Firms and will have less MiFID II conflicts. Never the less, the issues to consider are not limited to HR or even customer data. Data around anti abuse activity relating to traders, suspicions and other rules will need to be run through to ensure that they are adhered to in such a way that GDPR is respected.