If you’re a company who operate under the compliance regulations of the Financial Conduct Authority (FCA) then you need to be aware of your responsibilities when it comes to storing data. Ensuring that all reasonable measures have been implemented in relation to the safety, security and integrity of data is a critical component of your corporate diligence and duty. The FCA making this point abundantly clear on their data compliance fact sheet, available via their website.As the fact sheet points out:
Following some simple steps can help your organisation towards ensuring your data storage policies remain compliant.
Protecting your property
Safeguarding data, whether online or at a physical location is the responsibility of the business-owner. Meaning it’s your duty to ensure that all reasonable measures have been put in place to protect against theft from your property and business premises.
- Audit potential risks at your property
- Install appropriate security measures such as: CCTV systems, security guards, alarms.
- Be vigilant about visitors and those who have access to your property
- Put in place barrier protection such as codes or smartcards to control access to data storage
Create a data use ‘Code of Conduct’
To help with your compliance having a clear policy for the use and storage of your data demonstrates that you are taking due diligence in its protection and that, in accordance with the regulations, have taken ownership of the responsibility.
Depending on the size of business and nature of the company the code will of course vary.
You might wish to employ a person or create a team responsible for best practice in terms of data use, overseeing the compliance of regulated use of data in the company.
It’s imperative that your company operates in an environment of trust and that you have faith in your employees when it comes to handling data. While there can never be guarantees in this regard, you can put measures in place which demonstrates you take matters seriously.
- Criminal background checks at a the application stage
- Regulate who has access to specific data
- Use other background and financial checks
Adopting controls on how, where and by who data is accessed should be employed as part of your compliance.
- Control data access in line with specific job roles – don’t just have an open access to all policy
- Ensure passwords and access codes are suitably complex – birthdates and pet names really are not strong enough!
- Control how data is accessed remotely. Should certain sensitive data remain within the main office system? Ensure that effective encryption is in place on mobile devices.
- Ensure backup schedules are strictly adhered to.
Using the Cloud and Third-Parties
You may use the cloud and third-party providers, something endorsed by the FCA in the compliance codes. However, responsibility for data protection remains with you. Therefore you need to ensure that your due diligence extends to your cloud provider.
- Ensure robust security and backup processes are in place.
- Understand where and how the data is stored.
- Ensure that you have full access as needed.
- Ensure that your provider allows access to auditors and regulators.
Whether using cloud, third-party or on-premises storage, it is your responsibility to have a robust business continuity and disaster recovery plan. This might entail having effective back-up in place, as well as storage across multiple sources, ensuring that data can be recovered and business can continue as quickly as possible after an unforeseen event.
For more information on IT support and services for regulated businesses, click below...