On 8 February 2018, the Information Commissioner’s Office (“ICO”) and the Financial Conduct Authority (“FCA”) issued a joint statement on the General Data Protection Regulation (“GDPR”), which will come to force on 25 May 2018 (the “Relevant Date”). The statement is the result of firms’ addressing their concerns to both the ICO and the FCA regarding their ability to comply at the same time with both the GDPR and FCA requirements on data protection.

The statement sets out the following:

  • financial services firms need to consider GDPR obligations affecting their businesses and ensure to be ready for compliance as from the Relevant Date;
  • there are a number of common requirements in the GDPR and the FCA Handbook, but nothing in the GDPR is incompatible with the FCA Handbook;
  • compliance with the GDPR is responsibility of each firm’s board;
  • financial services firms must be able to produce evidence to demonstrate the steps that they have taken to comply; and
  • the FCA and the ICO will continue to work together in preparation for the Relevant Date, in observance of the memorandum of understanding in place between both entities, which lays out their formal relationship and demonstrates their commitment to co-operation and co-ordination. In this respect, ICO will be responsible of regulating the GDPR and the FCA will consider under their rules compliance of firms with the GDPR.


Firms need to continue to get all documentation, policies and procedures ready for GDPR.

To read the full statement please click here.

For more information, and any guidance or help with implementing GDPR for your firm, Cleveland & Co External in-house counsel, your specialist outsourced legal team, are here to help.