The ICO and the FCA - a Special Relationship in the Data Privacy World

More than four years has passed since the Information Commissioner’s Office (“ICO”) and Financial Conduct Authority (“FCA”) entered into their first Memorandum of Understanding (“First MoU”); a document which sets-out a framework for cooperation and coordination between the two regulators. At the time, we described this relationship as a potential “match made in heaven”.

Since then, the ICO and FCA have worked very closely on a number of areas. During the lead up to the General Data Protection Regulation (“GDPR”)¹, they jointly hosted a GDPR roundtable event with firms and industry bodies to listen to industry concerns. The ICO has also been providing tailored input to the FCA’s Innovation Hub whilst the FCA is supporting the development of the ICO’s Regulatory Sandbox. In a joint statement published last year, the regulators emphasised that “compliance with GDPR is now a board level responsibility” and that the requirement to treat customers fairly is “central to both data protection law and the current financial services regulatory framework”.

Fast forward to February 2019 and the two regulators have signed a revised Memorandum of Understanding (“Revised MoU”) in a move that reaffirms their strengthening relationship.

What changes has the Revised MoU brought?

Broadly, not much has changed from the first MoU that was signed in September 2014. For example, the ICO and FCA will continue to cooperate with each other by exchanging information, working together on policy and determining who is best placed to lead investigations of “mutual interest” (e.g. personal data breaches suffered by FCA regulated entities).

There are, however, signs that the two regulators have strengthened their ties and are looking to work together in new ways, as set out below:

1. Calls for evidence: The Revised MoU provides for greater consultation and coordination in reviews and calls for evidence (including sharing relevant information gathered). So for example, if the FCA sees poor data protection practices in the course of a market study, it may notify the ICO so that it has the opportunity to formally request disclosure of any relevant information.
2. Innovation initiatives: It also specifically calls out policies relating to “innovation initiatives” for the first time, reflecting existing collaboration between the two regulators in this area (as mentioned above, with the ICO’s Regulatory Sandbox and the FCA’s Innovation Hub).
3. Incident protocol: Further, in the event of a major incident of mutual interest at a FCA-regulated organisation, the ICO and FCA agree to work together in line with an agreed incident protocol to ensure that the incident is dealt with in a coordinated and efficient manner.

Importance of personal data revealing financial information

The Revised MoU is particularly timely in the context of the ICO’s Draft Regulatory Action Policy, which was put before the House of Lords' Secondary Legislation Scrutiny Committee in September 2018². The first item on the ICO’s list of regulatory priorities for 2018-19 is “large scale data and cyber security breaches involving financial or sensitive information”.

The fact that ‘financial’ information has been singled out can be looked at in two ways. Firstly, financial information is not classified as sensitive personal data under the GDPR (i.e. it is not listed as part of the ‘special categories’ of personal data under Article 9 GDPR which includes personal data revealing information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, to name a few). It is therefore only natural that the ICO has not bundled it together under the umbrella of ‘sensitive information’.

Looking at it from another angle, it also shows that the ICO places just as much importance on the handling of personal data revealing financial information as it does with special categories of personal data as defined under the GDPR. This is not surprising given that Recital 85 GDPR highlights that data breaches that are not addressed in an appropriate and timely manner may, amongst other things, result in “financial loss”; which is most likely to occur in circumstances where personal data revealing financial information is compromised.

Although individuals do not need to demonstrate financial loss to claim for compensation for breaches of data protection law³, it is still the clearest indication of potential damage or distress suffered by data subjects particularly from an evidential perspective. The importance of financial information in the context of data protection compliance (and vice-versa) is therefore high on the list of priorities for both the ICO and FCA.

Looking forward

So, what do we expect next? 2019 is likely to see more coordinated investigations into poor financial information handling practices and an increase in policy-making and guidance from both regulators. In particular, the European Data Protection Board’s planned guidelines on the Second Payment Services Directive (PSD2) is eagerly anticipated and hopes to provide financial services organisations the clarity they require on how PSD2 operates alongside the GDPR.

¹ Regulation (EU) 2016/679

² 40th Report of Session 2017-19 - published 13 September 2018 - HL Paper 185

³ Article 82 GDPR