Lear­ning from mista­kes: 3 tips on data pro­tec­tion in the finan­cial sector

Pro­tec­ting con­fi­den­ti­al infor­ma­ti­on and cus­to­mer data is essen­ti­al in the finan­cial indus­try. In addi­ti­on to clear cus­to­mer expec­ta­ti­ons, com­pa­nies must in par­ti­cu­lar meet the strict requi­re­ments of the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR). Our expe­ri­ence and the acti­vi­ty reports of the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties show that this is not always easy. In this artic­le, we pro­vi­de infor­ma­ti­on on the three most com­mon data brea­ches in the finan­cial indus­try and tips on how to avo­id them:

  1. Incor­rect dis­patch of cus­to­mer let­ters and account state­ments
    Many peo­p­le can pro­ba­b­ly attest to this error based on their own expe­ri­ence: A brief moment of care­less­ness and the e‑mail was sent to the wrong addres­see. It is the­r­e­fo­re not sur­pri­sing that the incor­rect sen­ding of cus­to­mer let­ters, and account state­ments, is one of the most fre­quent data pro­tec­tion brea­ches in the finan­cial indus­try. Tech­ni­cal mea­su­res can pro­vi­de a reme­dy. For exam­p­le, a war­ning in the case of a lar­ge num­ber of reci­pi­ents, a request to veri­fy the addres­sees, or a tech­ni­cal release requi­re­ment can be intro­du­ced to pre­vent the incor­rect mailing.
  2. Unaut­ho­ri­zed access to cus­to­mer data by employees
    Data pro­tec­tion vio­la­ti­ons also fre­quent­ly result from unaut­ho­ri­sed access to cus­to­mer data by employees of a cre­dit insti­tu­ti­on. Data pro­tec­tion super­vi­so­ry aut­ho­ri­ties regu­lar­ly report cases in which employees, whe­ther due to a per­so­nal con­nec­tion or “purely for inte­rest”, access cus­to­mer data such as account infor­ma­ti­on for no busi­ness reason. In addi­ti­on to orga­ni­sa­tio­nal requi­re­ments, the intro­duc­tion of an aut­ho­ri­sa­ti­on con­cept can be con­side­red to pre­vent such vio­la­ti­ons. In such con­cept, access aut­ho­ri­sa­ti­ons are defi­ned on the basis of cate­go­ries that are redu­ced to the mini­mum requi­red in each case. At the same time, a traceable log­ging of acces­ses should be set up and ran­dom­ly checked.
  3. Ina­de­qua­te manage­ment of requests for infor­ma­ti­on
    As in all indus­tries, the num­ber of requests for infor­ma­ti­on from cus­to­mers is on the rise in the finan­cial sec­tor. Dif­fi­cul­ties often ari­se in respon­ding to a request in a time­ly and com­ple­te man­ner. It is not uncom­mon for cus­to­mers to under­stand a request for infor­ma­ti­on as a “free (second) account state­ment”. While the Bava­ri­an data pro­tec­tion super­vi­so­ry aut­ho­ri­ty is of the opi­ni­on that only the infor­ma­ti­on con­tent is to be com­mu­ni­ca­ted, the Hig­her Regio­nal Court of Munich ruled that data sub­jects have a right to recei­ve the infor­ma­ti­on in the form in which it is available to the data con­trol­lers. For respon­ding to requests for infor­ma­ti­on, pro­ce­du­res should be defi­ned for the enti­re hand­ling of the request from its receipt to its respon­se, inclu­ding inter­nal responsibilities.


In our expe­ri­ence, the finan­cial indus­try as a who­le is alre­a­dy well posi­tio­ned in terms of com­pli­ance with data pro­tec­tion requi­re­ments. As the decis­i­ons of data pro­tec­tion super­vi­so­ry aut­ho­ri­ties and courts make clear, errors nevert­hel­ess occur time and again, which, not least becau­se of the high expec­ta­ti­ons of cus­to­mers, are usual­ly par­ti­cu­lar­ly serious. It is the­r­e­fo­re wort­hwhile to learn from known mista­kes and to pro­vi­de for appro­pria­te mea­su­res to avo­id cor­re­spon­ding violations.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.