They are two regulations about to become enforceable in 2018, but they may not be compatible with each other.
The General Data Protection Regulation (GDPR) becomes enforceable from May 25th 2018. MiFID II comes into force on the second working day of 2018.
GDPR relates to privacy, MiFID II relates to transparency. The former is being introduced as a reaction to the age of big data that is upon us. The Economist recently stated that data is the new oil – the world’s most valuable commodity, but this comes with enormous privacy issues.
MiFID II is being introduced as a reaction to the 2008 financial crisis.
The conflict relates to staff. GDPR introduces tough rules on the data held by companies about their staff. In the GDPR framework, written consent by employees to their employer to use their data may not be enough, because of the asymmetrical nature of the relationship between employer and employee.
But MiFID II requires records of trades and who it was at a company that executed them. MiFID II also entails records of conversations between individuals. For example, keeping recordings of pertinent questions for five years. The aim is to reduce insider dealing or sharp practice, but it is the antithesis of data privacy.
It may simply be impossible to comply fully with both regulations.
Drill down and things may not be quite so hopeless.
GDPR is not without reasonableness. If an employer is required to keep data relating to employees by law, then providing it follows the correct procedures, it will not be breaking the rules.
And that brings us to the similarities, because transparency is a key part of GDPR too. Holding data relating to staff, if it is required to do so in order to comply with MiFID II, does not contradict GDPR providing staff give permission and are fully aware of the records that are kept.
The problems is not so much the data held, it is not being open about it, or keeping the data concerning employees for longer than is required.
MiFID II is not an excuse – it does not give an employer carte blanche with staff’s data. It simply means that are ways in which certain companies must keep certain data on activities of staff – providing they follow the correct procedures.
To find out more about GDPR check out the next GDPR Summit London