Inside Market Data quoted Nathaniel Lalone, Financial Services partner, on the seemingly opposed requirements of the revised Markets in Financial Instruments Directive (MiFID II) and the General Data Protection Regulation (GDPR). Nate noted the need to carefully consider the requirements of both, stating, "Investment firms have to reconcile the processing of personal data under the requirements of GDPR with what they actually need to hold and how they need to maintain and disclose information and keep records as required under MiFID II. One thing I always go back to is that within MiFID II there is language that says that the processing of personal data pursuant to the directive must be carried out in accordance with personal data protection rules in the EU—and it makes reference to the Data Protection Directive [which GDPR will replace]." He added, "There is clearly intent for the two rule sets to be read in a way so that one is compatible with the other. The question is, how do you do that? From an investment firm's perspective, when you hold and maintain personal data, you're meant to, for example, destroy it in an unrecoverable format when it is no longer needed. If you're an investment firm the question becomes, 'When does it become no longer needed?' With MiFID II obligations, firms can say, 'For this particular type of record it's five years, or seven years, and potentially longer if there is reason to think that there might be an enforcement action.' It requires some careful thinking. It's challenging, but not impossible [to reconcile MiFID II and GDPR]. In most cases, there is a way of reading one in a way that doesn't violate the other. With careful consideration and by acting in a reasonable manner, you can get both sets of rules to work together 99 percent of the time."
Nate indicated that there are significant issues outstanding that will need resolution. He stated, "One of the aspects of GDPR we keep hearing over and over again concerns consent to the use, transmission and processing of personal data. The consent needs to be clear and specific, and one of the things that is problematic is that transaction reports that capture personal data of individuals get passed from one firm to a platform, perhaps on to an exchange, and then to a regulator. It goes through potentially lots of different steps, and it may be hard to then show that the data subject has consented to each of those steps." ("Wrestling Over Competing; MiFID II, GDPR Data Demands," March 2018)