This year represents something of a watershed for European legislators, at least those that were tasked with the implementation of meaningful regulatory reforms in response to the rise of digitalised data channels. But these reforms, though welcomed by consumer and investor advocacy groups, present a gathering risk factor for listed stocks across a range of sectors.
From paying a gas bill, to buying shares, or even going out on a date, the personal information we hand over as private citizens is daily being collated, scored and analysed. All this data has inherent commercial value, so the potential for misuse is enormous.
Both legislative programmes seek to bring consistency and transparency to the way in which personal/client information is processed and held digitally. Yet it’s difficult to appreciate how these programmes overlap, particularly given that the revamped Markets in Financial Instruments Directive (Mifid II) applies chiefly to the finance industry. In broad terms, you could say that provisions under Mifid II effectively increase the amount of information shared with investors. Investment managers, for instance, are now compelled to disclose additional transaction costs charged to their funds separately from the ongoing charges figure – ergo, increased transparency for punters. Conversely, the GDPR regulations highlight the desirability of holding minimal data, while protecting that which you do hold, and not doing anything with that data unless your customers are aware of it. Although the regulatory strands aren’t exactly complementary, it has been argued that compliance with the Mifid strictures will go a long way to ensuring that firms are also covered under the GDPR legislation.
GDPR doesn’t expressly prohibit the disclosure of customer data, but it does set out rules for the way in which this information is shared. The UK government has confirmed that it will implement the new GDPR legislation in May 2018 regardless of the state of the Brexit negotiations. And there are some hefty penalties in the event of non-compliance, certainly by comparison to the existing maximum fine of £500,000 that can be brought by the Information Commissioner's Office (ICO) for contraventions of the Data Protection Act 1998. Under the new regime, companies guilty of the most serious violations can be fined up to 4 per cent of annual global revenue, or €20m, whichever is greater. The biggest fine to date under current data protection rules stands at £400,000, issued to TalkTalk (TALK) for a breach of customers’ personal information in 2015. So you can certainly see how negligence on the digital data front could metastasise into a significant hit on earnings and cash flows.
If that wasn’t enough, the government’s National Cyber Security Centre has just published new guidance that places the onus of cyber security squarely on companies involved in the provision of the UK’s critical infrastructure – energy, transport, water and healthcare. The bottom line is that utilities and other companies engaged in these endeavours could be on the hook for anything up to £17m if they fail to have the most robust safeguards in place against cyber-attack.
