Banks and financial institutions (FIs) play a critical role as intermediaries in the financial world, operating across multiple regions and jurisdictions, which requires them to source, generate, manage and disburse data to meet their various obligations to customers, regulators, statutory and internal stakeholders. A significant portion of these data are customer-specific, hence their concern for such data’s safety, security and privacy.
Companies suffer financial penalties for data breaches. Recent laws that have been put in place, such as the General Data Protection Regulation (GDPR), have resulted in large fines against various leading FIs. Similarly, the recently implemented 2020 law in California, the California Consumer Privacy Act, will enforce similarly strict fines and consequences. Later in this blog post, we will look at some egregious examples of large fines issued to FIs and non-FIs on account of data breaches and non-adherence with privacy regulations.
|
Create |
Creation is the generation of new digital content, or the alterating/updating/modifying of existing content. |
|
Store |
Storing is the act of committing the digital data to some sort of storage repository and typically occurs nearly simultaneously with creation. |
|
Use |
Data is viewed, processed, or otherwise used in some sort of activity, not including modification. |
|
Share |
Information is made accessible to others, such as between users, to customers, and to partners. |
|
Archive |
Data leaves active use and enters long-term storage. |
|
Destroy |
Data is permanently destroyed using physical or digital means (ex: crypto shredding). |
What is Data Privacy and Organization for Economic Cooperation and Development (OECD) Principles Involving Data Privacy?
Privacy is the right of an individual to control the use of their personal information. Individuals expect their privacy to be respected and their personal information to be protected by the organizations with which they do business. They expect that organizations will inform them what information they collect, why they collect it, and how they update, manage, export (sell and share) and delete their information. Data privacy controls relate to collection, usage and sharing. Data cybersecurity controls relate to protection mechanisms associated with confidentiality, integrity and availability (CIA).
OECD Privacy Principles
|
Principles |
Description |
|
Collection limitation |
Collection of personal data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. |
|
Data quality |
Personal data should be relevant to the purpose collected and should be accurate, complete and kept up-to-date. |
|
Purpose specification |
The purposes for which personal data are collected should be specified no later than at the time of data collection. |
|
Use limitation |
Personal data should not be disclosed, made available or otherwise used for purposes other than specified, except with the consent of the data subject or by the authority of law. |
|
Security safeguard |
Personal data should be protected by reasonable security safeguards. |
A Glimpse at Data Breaches and Fines Imposed on Various FIs and Non-FIs
|
Name of the Organization |
Data breaches (in millions) |
|
Amazon |
877.00 |
|
Equifax |
575.00 |
|
|
255.00 |
|
Capital One |
190.00 |
|
Morgan Stanley |
120.00 |
|
Google Ireland |
102.00 |
|
|
68.00 |
|
Google LLC |
68.00 |
|
|
56.60 |
|
H&M |
41.00 |
|
British Airways |
26.00 |
| Marriott | 23.80 |
| Tesco Bank | 21.00 |
| Wind | 20.00 |
| Vodafone Italia | 14.50 |
| Caixabank | 7.20 |
| BBVA bank | 6.00 |
Source: https://www.csoonline.com/article/3410278/the-biggest-data-breach-fines-penalties-and-settlements-so-far.html,
https://www.tessian.com/blog/biggest-gdpr-fines-2020/, https://www.cnbc.com/2022/01/18/fines-for-breaches-of-eu-gdpr-privacy-law-spike-sevenfold.html.
From the above, we observe that the data breaches across FIs are beginning to rise, hence the urgency to comply with data privacy standards and processes.
The following table provides an overview of certain key data privacy compliance regulations in some key markets:
Source: https://iapp.org/resources/article/global-comprehensive-privacy-law-mapping-chart/, please note we have compiled only a partial list of economies and countries.
From the above, we conclude that there are many countries wherein the legislatures have spelled out various guidelines, with respect to data privacy obligations, to be complied with by all organizations that fall within the jurisdiction. There are other countries that could very soon issue their own set of legislations.
New roles and responsibilities are necessary to implement and comply with these data privacy regulations. Some of the new roles and responsibilities related to GDPR include:
|
Role |
Responsibilities |
|
Data controllers |
The data controller determines the purposes for which, and the means by which, personal data is processed. |
|
Joint controller |
Joint controller is when one or more organizations jointly determine why and how personal data should be processed. |
|
Data processor |
The data processor processes personal data on behalf of the data controller. |
|
Data Protection Officer (DPO) |
The Data Protection Officer (DPO) ensures that an organization follows privacy regulations. |
Final thoughts
Data are a critical component in whatever business we do, with large volumes being churned in every aspect of business, requiring increasingly large storage space and, therefore, the need for movement from on-premises to cloud. However, data in the cloud leads to a newer set of problems in terms of security and privacy of the data being stolen/breached by competitors or miscreants. Hence, the need of the hour is protection of our data and having the necessary guardrails in place.
We saw that various countries have adopted privacy legislation and soon, these countries in turn will ask their regulatory bodies/central banks to also issue guidelines for ensuring data privacy compliance. These new compliance regulations, along with existing ones, present a whole new dimension in the world of regulatory compliance requirements for banks/financial services across the globe.
A quick jump start toward data privacy compliance is to utilize a starter kit with which the banks/financial institutions can build their data privacy compliance programs.
Author’s note: The views and opinions mentioned in this article are solely the authors’ views and opinions and do not necessarily correlate in any way their employers’ views/opinions. To learn more about this topic, feel free to email us.