The FCA and the Information Commissioner’s Office (ICO) yesterday published a joint statement emphasising that non-compliance may result in both agencies knocking on the offending institution’s door. The update is short and worth reading in full; however, the main takeaways are summarised below for convenience:
- The GDPR does not conflict with the FCA Handbook
- GDPR compliance is a board level responsibility. Firms must be able to demonstrate steps to compliance
- The FCA will work hand-in-hand with the ICO. Their existing MOU will be updated as needed.
- The FCA will consider GDPR compliance under its own rules such as the its Senior Management Arrangements, Systems and Controls (SYSC) module
The strong implication is that a breach may not only trigger ICO fines, but also the FCAs wide range of sanctions. The GDPR, as regulated by the ICO in the UK, already confers extensive powers to fine, with the most serious contraventions costing up to EUR 20 million or 4% of global turnover (whichever is greater). To put this into perspective, TalkTalk’s 2016 fine of £400,000 would equate to £59m under the GDPR. If these numbers are not enough to concentrate board member’s minds, the additional threat of FCA action should suffice.
The GDPR comes into force on 25 May 2018.