Lear­ning from mista­kes: 3 tips on data pro­tec­tion in the finan­cial sector

Pro­tec­ting con­fi­den­ti­al infor­ma­ti­on and cus­to­mer data is essen­ti­al in the finan­cial indus­try. In addi­ti­on to clear cus­to­mer expec­ta­ti­ons, com­pa­nies must in par­ti­cu­lar meet the strict requi­re­ments of the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR). Our expe­ri­ence and the acti­vi­ty reports of the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties show that this is not always easy. In this artic­le, we pro­vi­de infor­ma­ti­on on the three most com­mon data brea­ches in the finan­cial indus­try and tips on how to avo­id them:

1. Incor­rect dis­patch of cus­to­mer let­ters and account state­ments
   Many peo­p­le can pro­ba­b­ly attest to this error based on their own expe­ri­ence: A brief moment of care­less­ness and the e‑mail was sent to the wrong addres­see. It is the­r­e­fo­re not sur­pri­sing that the incor­rect sen­ding of cus­to­mer let­ters, and account state­ments, is one of the most fre­quent data pro­tec­tion brea­ches in the finan­cial indus­try. Tech­ni­cal mea­su­res can pro­vi­de a reme­dy. For exam­p­le, a war­ning in the case of a lar­ge num­ber of reci­pi­ents, a request to veri­fy the addres­sees, or a tech­ni­cal release requi­re­ment can be intro­du­ced to pre­vent the incor­rect mailing.
2. Unaut­ho­ri­zed access to cus­to­mer data by employees
   Data pro­tec­tion vio­la­ti­ons also fre­quent­ly result from unaut­ho­ri­sed access to cus­to­mer data by employees of a cre­dit insti­tu­ti­on. Data pro­tec­tion super­vi­so­ry aut­ho­ri­ties regu­lar­ly report cases in which employees, whe­ther due to a per­so­nal con­nec­tion or “purely for inte­rest”, access cus­to­mer data such as account infor­ma­ti­on for no busi­ness reason. In addi­ti­on to orga­ni­sa­tio­nal requi­re­ments, the intro­duc­tion of an aut­ho­ri­sa­ti­on con­cept can be con­side­red to pre­vent such vio­la­ti­ons. In such con­cept, access aut­ho­ri­sa­ti­ons are defi­ned on the basis of cate­go­ries that are redu­ced to the mini­mum requi­red in each case. At the same time, a traceable log­ging of acces­ses should be set up and ran­dom­ly checked.
3. Ina­de­qua­te manage­ment of requests for infor­ma­ti­on
   As in all indus­tries, the num­ber of requests for infor­ma­ti­on from cus­to­mers is on the rise in the finan­cial sec­tor. Dif­fi­cul­ties often ari­se in respon­ding to a request in a time­ly and com­ple­te man­ner. It is not uncom­mon for cus­to­mers to under­stand a request for infor­ma­ti­on as a “free (second) account state­ment”. While the Bava­ri­an data pro­tec­tion super­vi­so­ry aut­ho­ri­ty is of the opi­ni­on that only the infor­ma­ti­on con­tent is to be com­mu­ni­ca­ted, the Hig­her Regio­nal Court of Munich ruled that data sub­jects have a right to recei­ve the infor­ma­ti­on in the form in which it is available to the data con­trol­lers. For respon­ding to requests for infor­ma­ti­on, pro­ce­du­res should be defi­ned for the enti­re hand­ling of the request from its receipt to its respon­se, inclu­ding inter­nal responsibilities.

Sum­ma­ry

In our expe­ri­ence, the finan­cial indus­try as a who­le is alre­a­dy well posi­tio­ned in terms of com­pli­ance with data pro­tec­tion requi­re­ments. As the decis­i­ons of data pro­tec­tion super­vi­so­ry aut­ho­ri­ties and courts make clear, errors nevert­hel­ess occur time and again, which, not least becau­se of the high expec­ta­ti­ons of cus­to­mers, are usual­ly par­ti­cu­lar­ly serious. It is the­r­e­fo­re wort­hwhile to learn from known mista­kes and to pro­vi­de for appro­pria­te mea­su­res to avo­id cor­re­spon­ding violations.