Develop, implement, and maintain policies and procedures to protect personal data and establish appropriate data protection practices when collecting, processing, storing, disclosing, and destroying personal data.
Collection of data:
When collecting data, clearly inform the individuals about the purpose for which it will be collected, used or disclosed and obtain their consent in writing. If you collect personal data from third parties, ensure the third party has obtained consent from the individuals to disclose it for your intended purpose. Be able to show that the client understands what the process entails for withdrawing consent for this use or disclosure of their data. Provide regular training to all employees and third-party employees that will have any contact with and responsibility for personal data about how to safely collect it, use it, store it, alter it and remove it.
Use of the data:
The purpose for which you obtained consent to collect personal data must indeed the only ones used by the firm and its vendors. Any changes in the disclosure and use of the personal data collected should receive a new and separate consent in writing.
Access to the data:
There must be a formal procedure in place to handle requests for access to personal data, including their purpose, an evaluation of their data security measures, storage locations, access rights (individuals and other companies) and disposal mechanisms. Clients should be informed that another party has requested access to their details and for what purpose – and again, consent should be retrieved in writing.
Audits and remediation:
Your firm must have a schedule of regular audits on the data protection it holds – detailing all of the considerations listed above, among others. Outside experts can help with this task, but an in-house audit should also be done to show regulators the organization as a whole understands the processes being used and has a means to test them itself.
Although regulators do not expect compliance and risk professionals to be experts in the area of data protection and information security in general, there is a certain level of understanding that must remain in-house.
That is, firms must maintain sufficient internal understanding of the best practices enumerated above and about data protection in general to be able to ask the right questions and the right follow-up questions when hiring business partners to help manage this data. There needs to be enough firm-based know-how to be able to oversee this work with the sufficient skepticism and high standards required in this risk area.