UK Cyber Security Laws are Changing with GDPR and MiFID II
The cyber security industry is evolving, there are new laws coming into effect in early 2018. Designed to protect customers and companies alike. They are names that you might have heard of but are unsure of how the effect your business. Here is a short explanation of two of the laws;
In January 2018, MiFID II comes into effect, governing financial institutions and the way that calls are recorded and stored. Later in the year May 2018, the new European personal data regulations GDPR come into force – and SMEs need to start preparing now.
First introduced by the EU in response to the 2008 financial crisis, MiFID is a set of sweeping reforms for the financial industry designed to prevent history from repeating itself in the same way again. Replacing the original directive in January 2018, MiFID II brings changes to many areas relating to the conduct of business, including far more robust rules around the recording and storing of conversations.
What does MiFID II mean for SMEs?
Any organisation providing financial services to clients linked to ‘financial instruments’ will have to record and store all communications intended to lead to a transaction. Unlike the current FCA regulations, which are specific to those directly involved in financial trading, with MiFID II any organisation that’s even giving advice that may lead to a trade or investment will need to comply with this rule.
The new requirements stipulate that all conversations ‘that are intended to lead to a transaction’ must be recorded, broadened from the previous mandate of ‘client orders and transactions.’ MiFID II also includes other communications such as mail, fax, email or audio recording of client orders placed during face-to-face meetings that are intended to result in a trade.
What does GDPR mean for SMEs?
The Data Protection Act (DPA) will be replaced by the EU’s General Data Protection Regulation (GDPR), a framework with greater scope and much tougher punishments for those who fail to comply with new rules around the storage and handling of personal data.
- Companies must keep a thorough record of how and when an individual gives consent to store and use their personal data.
Consent will mean active agreement. Companies will have to show a clear audit trail of consent.
- Individuals also have the right to withdraw consent at any time, easily and swiftly.
- When somebody does withdraw consent, their details must be permanently erased, and not just deleted from a mailing list.
- In the event of a data breach, GDPR forces companies to inform relevant authorities within 72 hours, giving full details of the breach and proposals for mitigating its effects.
GDPR forces SMEs to know exactly what personal data they hold and where it is located (whether on PCs, on servers, or in the Cloud), and have procedures in place to ensure its complete removal when a request to do so is made.
Monitoring protocols must be able to recognise and act on breaches as soon as they happen, and an incident recovery plan put in place to deal with the repercussions.
Preparing for all this will require a full information audit and, for many companies, a change in culture, which is why SMEs should start to plan and implement well in advance of the 2018 deadline.