Is your GDPR policy in ‘cheque’?

Is your GDPR policy in ‘cheque’?

Any company dealing with data has found it challenging since the looming 25th May deadline came and went, and there is no doubt that the banking and financial industry are sure to have found this change the hardest.

Banks have admitted they are struggling to find the right people to fill the newly required role of data protection officer. With the large amount of sensitive data passing through their systems, complying with the GDPR and avoiding the hefty fines, is more important now than ever. With some favouring IT expertise over a risk-based background and many using current banking and financial employees to take on the management of this role, ensuring total compliance across the board and protecting the potential value of this data, is becoming more prevalent in this industry.

What to include in privacy policy for companies in the financial industry

With a vast range of enhanced rules for those in this industry, some triggered by the financial crisis and others based on newer challenges such as cyber threats and Brexit, companies dealing with this high level of data need to make certain adjustments to a standard privacy policy.

The Payment Services Directive (PSD2), also known as the “Open Banking” regulation, requires banks to allow other organisations to access customers’ data through a set of APIs. This is pushing banks and financial companies to create secure, encrypted APIs in order to decrease the chance of these portals becoming accessible to those who would want the data for their own ill-gotten gains.

With banking providing many services which were unheard of a few years ago, such as mobile and online banking, SMS updates and even the ability to pay with the simple touch of a card, the data which could be available is now easier to obtain and therefore harder to protect. As long as data exists within an organisation, it is vulnerable to attack and subject to many regulatory processes.

Privacy policies need to have information regarding the law which requires customer calls relating to financial products to be recorded in full and allowing a complete recording of this to be used in court as evidence in the event of a dispute. The definition of a privacy policy is that it ‘discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data,’ with those in the financial sector succumbing to so many more regulations, they need to ensure to include clauses outlining:

  • Client Consent
  • Right to data erasure and right to be forgotten
  • Consequences of a breach
  • Vendor management
  • Pseudonymisation

Companies in this area should not be concerned, as they, more than most industries are already in a better position to stay in line with the GDPR. Privacy policies have been embedded in the bank’s systems for many years, and by making some small adjustments, should not find it problematic to stay within the GDPR guidelines. If you need help improving your consent management processes and GDPR policy; do not hesitate to get in contact with us today.

Find similar posts