What can you learn from the new FCA/ICO update on GDPR?


On February 8th, the Financial Conduct Authority and Information Commissioner's Office issued an update on the EU General Data Protection Regulation (GDPR).

What does the update say?

The update clarifies some questions regulated firms have raised with the Authority. It says that:

‘Firms have asked us about their ability to comply with both the GDPR and rules made by the FCA. We believe the GDPR does not impose requirements which are incompatible with the rules in the FCA Handbook.’

This is something we covered last year in GDPR for regulated firms – what do you need to know?

There we identified some of the requirements you’ll already be meeting, which give you a head-start on compliance – and some of the new demands which you’ll need to comply with.

The plus points:

  • You already operate with some degree of rigour. Complying with FCA requirements gives you an understanding of working in a heavily-regulated environment – for example around accurate record-keeping, a big focus of the new regulation.
  • Your culture (hopefully) already supports a compliant approach. The GDPR – as the update points out – ‘is now a board level responsibility’.

Firms are more likely to be compliant with existing FCA regulation if they have a culture where good behaviours are embedded.  If you’re not sure you fall into this camp, our recent blog on How to ensure your board is prepared for GDPR has some pointers.

  • Some FCA requirements already support the principles of the new regulation. The update says that ‘there are a number of requirements that are common to the GDPR and the financial regulatory regime detailed in the Handbook’.

Requirements around suitability, producing financial promotions that are fair, clear and not misleading and desired consumer outcomes all align neatly with the GDPR’s aim of improving the customer experience.


  • The GDPR has very specific requirements of its own that aren’t covered in existing regulation. Rules on consent; on opt-in; on data breaches.

Even if you meet your regulator’s current requirements, it’s likely you’ll have to up your data game in time for 25th May.

How will the FCA and ICO work together on the new data rules?

The update says that ‘While the ICO will regulate the GDPR, complying with the GDPR requirements is also something the FCA will consider under their rules’.

The financial regulator and the ICO say they will continue to collaborate in the coming months to address concerns raised by firms. They will revisit their existing Memorandum of Understanding to make sure it’s still fit for purpose in the new world.

What should firms be doing now?

One of the initial challenges with the GDPR was the lack of clarity around exactly what firms needed to do.

Last summer, the Information Commissioner’s Office published a series of blogs designed to increase this clarity and put a stop to some of the regulation’s ‘myths’.

You can read a summary of the ICO’s myth-busting blogs in GDPR – sorting the myths from the reality and How to separate GDPR compliance myths from reality.

If you want more detail on the new requirements, you can check you’re up to speed by reading GDPR compliance – do you know everything you need to? and find out how to avoid potential GDPR pitfalls in your marketing.

The ICO’s microsite is another good source of information. It’s where any new updates are posted, and has useful downloadable tools. The What’s new page is a particularly useful summary of developments by date.

Whether you’re tackling the GDPR or making sure you’re up to speed with other compliance rules, you’ll find our Compliance Guide to Financial Promotions useful.

It looks at the regulations governing your promotions and what you have to do to comply. You can get your free copy of the Guide here.

Nothing in this document should be treated as an authoritative statement of the law. Action should not be taken as a result of this document alone. We make no warranty and accept no responsibility for consequences arising from relying on this document.

New Call-to-action