All businesses must ensure that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data, against accidental loss and against destruction of or damage to personal data.
Financial services in particular are expected to adhere to higher standards. They are required by their regulator to have a written and enforced policy on data security, especially where they are handling sensitive personal data.
You should undertake a risk assessment in your workplace, considering the risks of data falling into the wrong hands, and then outline the steps to be taken to minimise or prevent these risks.
Examples of steps to prevent or minimise risks include: