Miles Reucroft of Intelliflo discusses whether these two legislative initiatives are in conflict
- There have been persistent questions on whether MiFID II and GDPR contradict one another
- The area of conflict is around the subject of data retention (MiFID II) and data deletion (GDPR).
- The legal ground for processing is also extremely relevant to financial advice firms.
It’s the season of regulatory merriment for financial advice firms at the moment, with MiFID II set for implementation on 3 January 2018 and GDPR closely following on 25 May. There is a lot for firms to consider and there have been countless articles, papers, webinars and blogs (such as this one), highlighting a multitude of perspectives, interpretations and concerns about both.
One thread that has arrived quite consistently throughout is the notion that MiFID II and GDPR contradict one another. One particular area where this has surfaced is around the subject of data retention (MiFID II) and data deletion (GDPR). How can you simultaneously comply with the need to retain and the need to delete? Let’s start by looking at the requirement under MiFID II Article 16(6):
An investment firm shall arrange for records to be kept of all services, activities and transactions undertaken by it which shall be sufficient to enable the competent authority to fulfil its supervisory tasks and to perform the enforcement actions under this Directive, Regulation (EU) No 600/2014, Directive 2014/57/EU and Regulation (EU) No 596/2014, and in particular to ascertain that the investment firm has complied with all obligations including those with respect to clients or potential clients and to the integrity of the market.
This clearly states that firms should retain records where the regulator may need access to the information.
Now let’s look at GDPR Article 17(1):
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services referred to in Article 8(1)
- .
Taking the opening of Article 17 in isolation, then it does contradict MiFID. There are, however, six caveats.
GDPR is not designed, nor being implemented, to contradict existing regulations; rather it is being implemented with the sole aim of better protecting the data rights of individuals. The retention of data is, therefore, straightforward. If a firm has provided advice to an individual, then it will have processed data on that individual that it will need to retain. Such data will continue to be necessary going forward and there is a legitimate ground to process it on.
The legal ground for processing is also extremely relevant to financial advice firms. Stories such as this, where a complaint from advice given in 1989 was upheld by the Financial Ombudsman Service highlight the importance of data retention.
Where firms will fall foul of GDPR is where they are processing data that they do not need to be processing.
If there is a legitimate need to process the data, then the data should be retained and processed as per Article 16 of MiFID II. If there is not, then the data should be erased as per Article 17 of GDPR.
