GDP Aargh, MiFID II Hard. Pull your SOX up.

This week, obviously overshadowed by the demonic acts of a small number of callous murdering scumbags, has been very interesting (or not, dependent on your perspective). It seems that people have started to talk about the unmentionable, unfathomable (for most) “nothing to see here chief” forthcoming regulatory requirements of GDPR and MiFID II. Both topics have been discussed at the IDX and Infosec 2017 conferences. At length.

It is not for this blog to debate the whys, wherefores, ups, downs, pros or cons of either of these two, soon to be dumped on the shoulders of, apologies soon to be seamlessly implemented by businesses large, small and everything in between.

The most cynical of individuals in Information Technology have been overheard comparing these regulations to really very hard parking restrictions which make it certain that you will at the very least be fined, and at worst have your vehicle destroyed in a controlled explosion. We couldn’t possibly comment.

GDPR is going live on 25/05/18. In his keynote address at Infosec 2017 in London, the Information Commissioner’s Office senior technology officer Peter Brown, whilst very reassuringly informing the audience that they “probably won’t be breaking doors down on that day and demanding 4% of your annual turnover”, informed the audience that all businesses large or small, in scope must appoint a Data Protection Officer (DPO).

This quote, together with the threat of being excluded from the good guy list on account of Brexit has caused waves in the security community, as in this blog by the truly excellent folk at Sophos’ Naked Security.

The trouble with blogs like above is that it would seem to suggest that all businesses must appoint a DPO if you know nothing abut the regulations. In fact, you only have to if you are:

  • A public authority (except for courts acting in their judicial capacity);
  • An organisation that carries out the regular and systematic monitoring of individuals on a large scale
  • An organisation that carries out the large-scale processing of special categories of data, such as health records, or information about criminal convictions

The confusion caused by reportage such as this could be, in our opinion, contributory to the prevailing ‘head in the sand’ positions of many organisations.

So we turn to MiFID II. Seven years in the creative agar jelly of the European Securities and Markets Authority (ESMA), already delayed one year, because nobody was ready (and probably are still not ready), yesterday at the IDX 2017 conference, Steven Maijoor (ESMA chair), announced that there would be no further delays and the regulations would be in effect on 03/02/18.

At over 5000 pages, MiFID II is massively complex with requirements for front and back offices to record and categorise pretty much everything with almost atomic clock levels of time stamp precision (in some cases), not achievable using current network time protocol standards.

The time stamping and categorisation requirements go way above current expectations and will require specialist consultancy and technology which may be very difficult to retrofit into an operational environment, especially if you didn’t start planning a few years ago.

Given that our very own Financial Conduct Authority published ‘near final’ rules in March this year, encouraging firms to submit applications for authorisation, January 2018 looks very, very close.

Two different sets of enforcement officers. Two very different sets of rules. Two serious headaches.  One thing for sure. The successful implementation of these regulations will require a new paradigm in the relationship between business process, IT processes and, heaven forbid, business people and IT people. These regulations are about data classification and governance.

As our in-house Director of Cyber Risk points out in his recent GDPR webinar, it is all well and good talking about the fines, but the regulators have the power to enforce data deletion and full and frank disclosure, in other words the potential to destroy your business.

To recap:

  • GDPR go live: 25/05/18
  • MiFID II singularity: 03/01/18
  • Zombie Apocalypse: Most likely between these two dates

Here at ITC, we can offer some great advice on how to do something positive about these forthcoming regulations. As we all know a plan, no matter how straightforward, is better than paralysis. Please do give us a call, hopefully before November for MiFID II and April for GDPR.

Contact us at: [email protected] or call 020 7517 3900.

Our hearts go out to the victims, friends and families of the recent atrocities. So, senseless.