Financial services firms now have under a year before the General Data Protection Regulation comes into effect. The GDPR will impact the way firms gather, store and manage the personal data they hold.
With the potential for significant fines and reputational damage in cases of non-compliance, no firm can afford to ignore this significant piece of legislation. To be prepared for GDPR, consider these key areas:
Personal data: Firms need to establish what personal data they hold within their organisation and understand the life-cycle of that data, including any high-risk processing activities.
Infrastructure: It is also important to be able to evidence the legal basis for processing personal data and to ensure this does not conflict with the rights and freedoms of data subjects. Policies should be well balanced to ensure data is effectively protected, and systems and controls should be geared towards data security and protection.
Third-party processors: All firms that process personal data can be held jointly liable with the data controllers for breaches. If a business transfers data to a third party for processing, they will need to ensure their supplier contracts are reviewed and amended where necessary, to ensure all data-handling and processing activities are compliant with the new regulation.
Lorraine Mouat is senior regulatory consultant at TCC