General Data Protection Regulation (GDPR)

GDPR is replacing the EU Data Protection Directive (Directive 95/46/EC) and will apply across the EU from 25th May 2018, including the UK, notwithstanding its decision to leave the EU.

GDPR applies to ‘controllers’ and ‘processors’, the controller determining how and why personal data is processed and the processor acting on the controller’s behalf. GDPR applies to personal data, which may even include an online identifier. GDPR applies to EU based entities that process personal data and also to non-EU entities processing the personal data of EU residents. Given the broad reach of GDPR, the financial industry, along with many others, is firmly in scope. GDPR also links to MiFID II given the regulator’s requirement for personal data to be provided to trading venues.

Organisations are required to demonstrate how they comply with the protection principles set out in GDPR and how they protect individual rights. The protection principles relate to areas such as fairness, lawfulness and transparency; purpose limitation; data minimisation; data quality; and security, integrity and confidentiality. Individual rights of personal data cover subjects such as information notices, access, rectification, portability, objections, erasure, profiling and automated decision taking.

Transfers of personal data to recipients outside of the European Economic Area are regulated and restricted in certain circumstances in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.

GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, or the individuals affected. The regulation sets out specific rules that determine the kind of reporting required in different scenarios.

GDPR imposes sanctions for non-compliance that could, in a worst case scenario, result in a fine of up to €20 million or 4% of a firm’s annual worldwide turnover, whichever is greater.

The Article 29 Working Party has provided further guidance to support implementation:

Guidance on Data Protection Officer provisions of the GDPR
Guidance on identifying a controller or processor’s lead supervisory authority

Last updated 16th August 2017

Copyright © 2017 Fidessa group plc. All rights reserved.

The information contained within this website is provided for informational purposes only. Fidessa will use reasonable care to ensure that information is accurate at the time it is made available, and for the duration that it remains on the site. The information may be changed by Fidessa at any time without notice. We also reserve the right to close the website at any time. No representation or warranty, expressed or implied, is given on behalf of Fidessa or any of its respective directors, employees, agents, or advisers as to the accuracy or completeness of the information or opinions contained herein or its suitability for any purpose and, save in the case of fraud, all liability for direct, indirect, special, consequential or other loss or damages of whatever kind that may arise from use of the website is hereby excluded to the fullest extent permitted by law. Any decisions you make based on the information in this website are your sole responsibility and information on the website should not be relied upon in connection with any investment decision.

The copyright of this website belongs to Fidessa. All other intellectual property rights are reserved.

Reproduction or redistribution of this information is prohibited except with written permission from Fidessa.