MiFID II – The new era has started
After a year of clarification and research to decode and understand the complex new Directive, the revamped version of Europe’s Markets in Financial Instruments Directive (MiFID II) finally launched on the 3rd January 2018,. MiFIDII aims to strengthen protection for investors, prevent market abuse and conflicts of interest, increase transparency and re-establish consumer trust. The new rules now require ‘the I firms n the financial services system to introduce new expanded set of reports and controls. These reports mainly focus on:
Click Here to read our full Mifid II explanation.
Who will be impacted?
Under the final MiFIDII rules, both banks and asset managers have new responsibilities and deliverables to ensure compliance with the enhanced requirements.
For Portfolio Management, MiFID II covers Asset Managers and Broker/Banks.
Asset Managers need to focus on inducement and research, execution and transaction reporting to be compliant, whilst for brokers and banks the obligation is limited to Execution and Reporting.
Fund service providers, such as Apex, that are delivering FA services are out of scope unless there is a requirement for provision of services to asset mangers that falls outside the regular FA service range.
MiFID II impact assessment – key changes
Ireland | DPC releases GDPR readiness template
The Data Protection Commissioner (‘DPC’) released, on 22 December 2017, a template to assist organizations comply with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). In particular, the template aims to assist organizations in mapping the personal data held and processed, the lawful basis on which the data was collected, and the retention periods for each category of data. In addition, the template provides further detailed questions regarding data subject rights, accuracy, transparency requirements, data security, data breaches and international data transfers
Luxembourg: CNPD launches GDPR compliance tool
21st December 2017: The National Commission for Data Protection (‘CNPD’) launched the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) Compliance Support Tool (‘the Tool’). The purpose of the GDPR Compliance Support Tool is to provide an innovative and intuitive assistance to organisations enabling them to adequately evaluate their data protection compliance level. The tool will enable organisations not only to manage a processing register and all the other documents required to demonstrate their responsibility, but also to monitor the evolution of the maturity levels at their organization.
Mauritius | Data Protection Act published in Government Gazette
23 December 2017: The Data Protection Act 2017 (‘the Act’) was published in the Mauritius Government Gazette following the passing of the Act by the Mauritian Assembly and the assent of the President. The Act will repeal the Data Protection Act 2004 and seeks to align Mauritius’ data protection framework with international standards (GDPR), to strengthen the control and individual autonomy of data subjects over their personal data. The Act will come into operation as soon as a date is fixed by proclamation.
UK | ICO issues advice for organizations on Meltdown and Spectre
5 January 2018: The ICO issued an official blog post providing information on how organisations should respond to the security flaws known as ‘Meltdown’ and ‘Spectre’ found in processors designed by Intel Corporation, Advanced Micro Devices, Inc. and Arm Holdings. Alternatively, an attacker could steal credentials or encryption keys that would allow them to access personal data stored elsewhere. Considering that ‘GDPR will be coming in to effect on May 25 this year, there may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, which should have been undertaken proactively (Privacy by design).
The ICO’s intention is to help organisation understand that taking care of the basics will ultimately protect them from potential attacks, and therefore potential loss of data. After the recent gap discovered, the ICO also issued a recommendation to organisations, suggesting that they determine which of their systems are vulnerable, test and apply patches as a matter of urgency. Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act 1998 is serious enough to warrant a civil monetary penalty. The blog focuses on the role of the ‘data controller’, reiterating the fact that if such security vulnerabilities are exploited on a system that is processing personal data, that personal data could be compromised and therefore the company would be in breach of the regulation.
USA | The US joins the APEC Privacy Recognition for Processors System
29 December 2017: The International Trade Administration announced that the United States (‘US’) had joined the Asia-Pacific Economic Cooperation (‘APEC’) Privacy Recognition for Processors System (‘the PRP System’), becoming the first economy to offer APEC Privacy Trustmark to Data Processors.
Under the PRP System, data processors can obtain a certification to show their commitment to consumer privacy protection in order to enhance transparency and trust, “facilitating partnerships with multinational economies in the digital ecosystem.” Certification can be obtained following a review of a business’ data privacy policies and practices to verify compliance with the PRP System’s baseline security and accountability standards for data protection.
Expanded implementation of the PRP System across the APEC region, with the participation of extra countries in the project, will assist US companies in evaluating whether prospective international business partners are committed to effective consumer privacy protections.
Together with the APEC Cross-Border Privacy Rules (CBPR) system for data controllers, PRP will strengthen consumer privacy protection and trust across the Asia Pacific region, while also facilitating trade by minimising barriers to the cross-border flow of information.
 The term “third country” refers to jurisdictions outside the EU and “third country firms” refers to entities incorporated outside the EU, whether they do, or seek to do, business by way of a branch established in the EU, or on a cross-border basis – i.e. providing services to persons in one jurisdiction from a place of business in another jurisdiction without any establishment in the client’s jurisdiction
 Source: DataGuidance 2018
By clicking the button you confirming that you’re agree with our following Terms and Conditions