Answer ... As in the other EU member states, the GDPR applies to the processing of ‘personal data’ and builds upon Gibraltar’s Data Protection Act 2004, which was designed to implement the EU Data Protection Directive (95/46/EC). The impact is therefore comparable to that in other EU member states, in that fintech companies that process personal data falling under the scope of the GDPR will be able to process such data only insofar as the processing is done in compliance with the GDPR.

Furthermore, the Communications (Personal Data and Privacy) Regulations 2006 implement into Gibraltar law the provisions set under the EU e-Privacy Directive (2002/58/EC). The regulations:

• afford specific privacy rights in relation to electronic communications such as marketing calls, emails, texts and faxes;
• regulate the use of cookies and similar tracking technologies;
• impose obligations relating to the security of communication services (and data storage); and
• set out specific reporting obligations for security and data breaches.

Fintech businesses are at the forefront of technological development, embedding technology within their financial services offering. Therefore, electronic communications are likely to form a core part of their offering and, as such, fintech business should comply with these regulations.

Answer ... Under Principle 7 of the Distributed Ledger Technology (DLT) Regulations, a DLT provider “must ensure that all systems and security access protocols are maintained to appropriate high standards”.

Therefore, businesses that are regulated under the DLT Regulations must prove to the regulator, the FSC, that their cybersecurity systems are of a high standard before they can obtain the licence that is required to begin operating in Gibraltar. This in turn leads to a more secure fintech industry.