July 20, 2017
The European Union law known as MiFID II (Markets in Financial Instruments Directive II) is coming into effect in January and the financial services industry is madly scrambling to comply.
MiFID II mandates extensive documentation and transparency for financial services transactions, such as securities trades on a stock market. In the advice of compliance experts, that means you need to record and save all conversations, voice mails and texts related to a trade.
But it is not that simple.
In April 2018 the European Union puts into effect the General Data Protection Regulation (GDPR). The GDPR mandates that individuals have rights protecting their private communications.
There’s the rub. How can we jump through these compliance hoops, when they seem almost contradictory?
Let’s consider the case of an employee on a corporate-liable device. One could argue that a corporate liable device should hold corporate communication only. But is reality that simple?
In a family emergency situation the corporate device might be the only method of contact. Even a brief call in which the caller simply relays another number for the person to reach could be a violation if the call is recorded.
On a BYOD device, something becoming more prevalent, the situation is far more complex. By very nature the device is private so a company must be sure that only business communication is captured. If the solution you deploy is an all or nothing solution for MiFID II compliance then you cannot have a BYOD strategy. If you do then you will break GDPR law and open yourself up to those very large fines (up to 4% of annual turnover or €20M – whichever is greater).
Where GDPR is different from previous laws is in responsibility. The law states: “It is important to note that these rules apply to both controllers and processors - meaning 'clouds' will not be exempt from GDPR enforcement.” What does this mean? Well, if you deploy a solution that captures and stored things in a cloud, public or private, and this solution records any kind of private information, then the provider of the solution and the company the employee works for are liable to be fined.
So, before charging blindly down the MiFID II alley give some thought to privacy and what that means to your company and your employees. If you can be sure that every one of your employees will sign away their privacy then there is nothing to worry about. But can you ever be sure of that. Far better to consider a solution that extends your corporate environment to the mobile device and allows a distinct separation between business and personal communications, with no cross-contamination.
Oh, and if you are thinking WhatsApp is such a great business tool, maybe think again. It is this form of communication that is most likely to have private conversations and if you capture at source you will have no idea what is private and what is not. Best just to accept that WhatsApp is not a Business tool and stick to chat mediums that are truly business ready.