Understanding data protection in financial services

In January 2023, Meta (the owner of Facebook and Instagram) was fined €390 million by the Irish privacy regulator for breaking EU data protection rules. Whilst Meta plans to appeal the fine, it is an important example of how costly and reputationally damaging data protection issues can be for organisations.

It is imperative that all employees understand the risks and comply with the law. This will not only avoid fines or other regulatory penalties, it will also help your firm maintain the trust of its customers.

This is a focused reminder to share across your firm. A PDF version can be downloaded here.

• Personal data: Personal data includes any information that relates to an identifiable individual, including their name, address, date of birth and financial details. Some personal data is considered sensitive, such as racial or ethnic origin, medical history and religious beliefs. Extra safeguards apply to this information.

  A key principle of data protection is that an individual has a right to privacy, even after they share their data.

• Fair and lawful use: Your firm must have a lawful basis for collecting and using personal data (e.g. the individual’s consent). In addition, the firm must clearly disclose how it intends to use an individual's personal data (e.g. via a privacy notice or policy).

  Make sure you are familiar with your firm’s policies and procedures and, if you are ever unsure about whether a particular use is permitted, escalate the issue immediately.

• Protecting data: There is a legal obligation to safeguard personal data. It must be kept secure at all times, and appropriate steps must be taken to prevent loss, unauthorised access, corruption or theft. Personal data should remain private and must be securely destroyed when no longer required.

  If you suspect a data protection breach, you must report your concern immediately, in accordance with your firm’s procedures.