GDPR Accountability and RecordKeeping Requirements

A data controller, a data processor because of this requirement to be accountable to both the data subject and under the law, you must document all the processing activities internally. That includes the categories of the data subjects, the data recipients who's receiving the data and the data itself. What type of data? Documenting any data transfers. If you're transferring outside the EU, documenting how you're doing that, where it's going including the details of those safeguards.

If you're transferring outside to a jurisdiction that is found not to have appropriate safeguards such as Vietnam for example, why are you ... What kind of safeguards are you using when you're transferring that data to Vietnam or other areas where you're outsourcing? How long are you going to retain that data and when you're going to erase it and then just general description of security measures if possible.

A data controller must also document the purposes for the reasons they're processing and collecting the data and indirectly as a result the legal basis so as an example, if you're required to document information for anti-money laundering purposes, that would be a legal basis. You're collecting information on a company and that the legal basis for you doing that is because you must comply with anti-money laundering law.

Of course, all of this internal record-keeping obligation has to match with your external disclosures to data subjects. If you're saying you're doing it in privacy policy, if you say you're transferring data, if you say you're not transferring data outside the EU and then internally you are transferring data to Malaysia for example, that's not consistent with your privacy policy so that would not be a compliant with GDPR.

You have to ensure that the internal and external processes that you're engaging match. Finally, these lovely terms privacy by design and privacy by default, privacy by design and default requires financial services firms and fintechs to review their processing activities, ensure that data protection compliance is embedded within their services and business processes.

This means that the measures to partake and to protect data must be considered during the entire process and design of a product and service rather than as an afterthought. Basically, these concepts make data privacy a boardroom issue. All staff must be trained on data protection principles, clear policies and procedures must be implemented.

I like to think of a little light, the light switch which represents privacy. That should be turned on all the time when you're thinking, when you're operating as a company. Privacy should be turned on. It should be considered all the time for data subject. That's the objective of this accountability measure under the GDPR.

A top tip for fintechs and financial services firms. You may really already have a good foundation for this concept of accountability and then also for security as I already discussed if you are compliant with the payment card industry data security standard, PCIDSS. Those assessments that are required by the PCIDSS in terms of annual assessments audit reporting information security systems requirements really will provide you with a headstart in terms of creating a framework for compliance for privacy by define, excuse me, privacy by design and default principles.

Of course, many of you who already have in place appropriate security system such as encryption, using encryption firewalls, data segregation and security software as a financial services firm or fintech.