Protecting confidential information and customer data is essential in the financial industry. In addition to clear customer expectations, companies must in particular meet the strict requirements of the General Data Protection Regulation (GDPR). Our experience and the activity reports of the data protection supervisory authorities show that this is not always easy. In this article, we provide information on the three most common data breaches in the financial industry and tips on how to avoid them:
- Incorrect dispatch of customer letters and account statements
Many people can probably attest to this error based on their own experience: A brief moment of carelessness and the e‑mail was sent to the wrong addressee. It is therefore not surprising that the incorrect sending of customer letters, and account statements, is one of the most frequent data protection breaches in the financial industry. Technical measures can provide a remedy. For example, a warning in the case of a large number of recipients, a request to verify the addressees, or a technical release requirement can be introduced to prevent the incorrect mailing.
- Unauthorized access to customer data by employees
Data protection violations also frequently result from unauthorised access to customer data by employees of a credit institution. Data protection supervisory authorities regularly report cases in which employees, whether due to a personal connection or “purely for interest”, access customer data such as account information for no business reason. In addition to organisational requirements, the introduction of an authorisation concept can be considered to prevent such violations. In such concept, access authorisations are defined on the basis of categories that are reduced to the minimum required in each case. At the same time, a traceable logging of accesses should be set up and randomly checked.
- Inadequate management of requests for information
As in all industries, the number of requests for information from customers is on the rise in the financial sector. Difficulties often arise in responding to a request in a timely and complete manner. It is not uncommon for customers to understand a request for information as a “free (second) account statement”. While the Bavarian data protection supervisory authority is of the opinion that only the information content is to be communicated, the Higher Regional Court of Munich ruled that data subjects have a right to receive the information in the form in which it is available to the data controllers. For responding to requests for information, procedures should be defined for the entire handling of the request from its receipt to its response, including internal responsibilities.
In our experience, the financial industry as a whole is already well positioned in terms of compliance with data protection requirements. As the decisions of data protection supervisory authorities and courts make clear, errors nevertheless occur time and again, which, not least because of the high expectations of customers, are usually particularly serious. It is therefore worthwhile to learn from known mistakes and to provide for appropriate measures to avoid corresponding violations.back