GDPR is Live – How to Ensure Ongoing Compliance

The European Union’s General Data Protection Regulation (GDPR) entered into force on 25 May 2018 after a last-minute scramble by organisations across the globe to establish their privacy programs and update privacy notices. Now that your firm has (hopefully) built its GDPR compliance program, what should you be doing to ensure ongoing compliance with the regulation?

To ensure ongoing compliance, here are 7 action items to consider:

1. Train staff regularly – Training is key to ensuring that your firm’s staff understand the new regulations and their responsibilities in ensuring that your firm remains compliant with GDPR. One of the most likely forms of personal data breach is a member of your staff inadvertently emailing data to the wrong recipient. This may sound benign, but your firm may need to notify the supervisory authority in this instance and could face substantial fines if you don’t. It is imperative that your staff understand how data processing could constitute risk to an individual. Staff must be equipped with the tools and knowledge to minimise the chances of a breach, and to respond to a breach if it occurs.
    
2. Keep documentation updated – Ensure that documentation is updated to reflect changes to data processing activities. For example, changes to payroll workflows or investor onboarding procedures should be updated within your firm’s records of processing activities, as should any required changes to privacy notices and policies. Review and update documentation regularly.
    
3. Manage risk actively – Actively manage risk registers with regular risk assessments. Review workflows, systems, and vendor relationships to identify risks in processing activities and to document mitigations/remediations. Perform data protection impact assessments for changes that could represent a high risk to individuals, for example, changes to your anti-money laundering/know your customer process, or even major changes to health benefits.
    
4. Manage vendors – Perform due diligence on data processors during the selection process and on an ongoing basis. Ensure that your vendor implements appropriate technical and organisational safeguards around data processing activities.
    
5. Operationalise your GDPR program – Test the effectiveness of your firm’s processes, controls, and tools (i.e., their implementation program). Most firms that have taken steps toward compliance are still working on implementation or have recently completed implementation of their roadmap. Implementation is important, but the processes, controls, and tools still need to be operationalised.
    
6. Monitor and maintain your GDPR program – Work with your firm’s compliance department or an external service provider to implement a compliance monitoring program. Use key performance indicators (KPIs) to periodically assess your compliance with GDPR requirements. Define a process to address identified compliance gaps, including any required program updates that result from changes to existing data protection regulations or new guidance published by the Defense Priorities and Allocations System or the European Data Protection Board.


7. Report to senior management – Regularly report on the status of compliance monitoring and any associated findings to senior management.

GDPR Resources

The following ACA resources are available to help your firm navigate the complexities of GDPR:

• GDPR for Investment Managers FAQs - Includes GDPR requirements and steps you should take to ensure your firm is compliant
• GDPR Compliance: An 8-Step Game Plan - Blog post

How ACA Aponix Can Help

ACA Aponix can help your firm comply with GDPR requirements. Our services include:

• GDPR Gap Analysis - We can help your firm identify gaps relative to the requirements of GDPR and assist with building a practical action plan to address deficiencies.
• GDPR Awareness Training - As part of the requirements for GDPR, organisations that collect the personal data of EU residents must provide employees with GDPR privacy awareness training. We offer two types of online GDPR awareness training that are designed to help your staff gain an understanding of their role in meeting GDPR requirements.
• GDPR Vendor Diligence - We can help your firm determine if your vendors are compliant with GDPR requirements, working towards compliance, or have not considered the implications of GDPR.

About the Author

James Tedman is a Managing Director at ACA Aponix (Europe), the cybersecurity and IT risk division of ACA Compliance Group. Prior to ACA Aponix, James served as Chief Technology Officer at Sloane Robinson, a large European hedge fund, where he oversaw the firm's technology environment. Before Sloane Robinson, he built a successful consulting practice working with high-profile asset managers to review and define their IT strategies and assist them with managing key projects, staff, and vendors.

James also worked as a member of Morgan Stanley’s Prime Brokerage consulting team for over four years, advising clients on all aspects of technology, managing complex implementations, and assisting with approximately 100 hedge fund startups. Prior to this, he managed Morgan Stanley’s electronic trading platform support after completing the firm’s graduate training scheme. James earned his Bachelor of Engineering and Bachelor of Commerce degrees from the University of Birmingham (UK).