With the General Data Protection Regulation fast approaching, firms should be turning their attention to the necessary updates to policies, procedures and business practices required for ongoing compliance.
This five-step framework will help guide you through the transition.
- Identify your data: It is essential firms have a clear understanding of the types of data they hold, where it is stored, who has access to it and how it is shared.
- Determine your legal basis for processing: There are six legal grounds for processing, but without a clear idea of which one is applicable to the firm’s specific processing activities, you cannot effectively audit the compliance of your current data and processes.
- Understand your data security controls: Data security is an integral part of GDPR compliance and meeting FCA expectations, so firms need to be regularly reviewing whether their digital and physical data security is robust and fit for purpose.
- Implement the necessary changes: This stage will look different for every firm, depending on their processing activities, size and legal basis for processing, but having enough time and the right resources in place is essential to making the necessary changes in time.
- Conduct regular post-implementation reviews: The hard work does not end in May. Continual testing and monitoring is the only way to ensure ongoing compliance.
Lorraine Mouat is senior regulatory consultant at TCC