DEREK SMITH: Take data privacy in all its forms seriously

FINANCIAL institutions are facing a growing level of scrutiny from regulators, and this looks set to continue. And, when a financial institution conducts operations in more than one jurisdiction, complying with ever-evolving data privacy regulations can be challenging.

For these multinational institutions to keep up with current privacy laws, and assure customers that their information is protected, executives must constantly monitor relevant news and events. More specifically, the financial limitations of boutique institutions make them more susceptible to cyber security concerns because they may not have the resources or money to protect and respond to a threat properly. Here are some tips for staying up-to-date with data privacy and ensuring your boutique financial institution is secure.

Formalise a data privacy role

As a first step, appoint a person who is responsible for data privacy. Ensure this person stays abreast of local laws, regulations and local authorities’ publications. It is important that the selected individual works with an attorney who can offer guidance. In an ideal scenario, an attorney (either in-house counsel or retained counsel) should identify changes in the legislative environment and advise the business on a pre-determined frequency that is established by the financial institution’s policy. Professionals assuming the data privacy role must report to the highest level of management, using the most established global regulations, including the European Union’s (EU) General Data Protection Regulation (GDPR) stipulations.

Establish a policy

Data privacy involves a set of security measures that are designed to standardise the use, monitoring and management of data. Data consumption, management and storage by a company are the primary objectives of this policy. Although not required by law in many countries, such a policy is commonly used by companies to ensure compliance with data protection laws and regulations that they are exposed to because of their customers’ and vendors’ connections to jurisdictions that have data privacy requirements.

A company’s policy can demonstrate its commitment to ensuring consumer data is protected and confidential. As evidence of the company’s commitment to data protection principles, the policy may be submitted as evidence during compliance audits or in the event of a data breach.

At a minimum, your policy should address the scope of required data protection and the implementation of data protection techniques and policies. It must also include the involvement of relevant parties, such as individuals, departments, devices and IT environments, and any laws or compliance requirements relating to data protection. The roles and responsibilities associated with data protection, including data custodians and roles tasked with data protection, should be included.

Consider outsourcing

The data privacy role (an information security control) should not report to the head of information technology. This is because their fundamental objectives are different. A company’s information technology chief implements the actions which will help it to grow. In contrast, the information security function (where data the data privacy role resides) is responsible for protecting your company’s confidential and secure information. Against this backdrop, it may be more cost efficient to outsource the data privacy role and leverage the expertise of professionals within the space without taking on human resources costs.


In short, to demonstrate their commitment to ensuring consumer data is protected and confidential, financial institutions should at a minimum formalise the data privacy role, establish a data policy, and consider outsourcing.

• NB: About Derek Smith Jr

Derek Smith Jr. has been a governance, risk and compliance professional for more than 20 years. He has held positions at a TerraLex member law firm, a Wolfsburg Group member bank and a ‘big four’ accounting firm. Mr Smith is a certified anti-money laundering specialist (CAMS), and the compliance officer and money laundering reporting officer (MLRO) for CG Atlantic’s family of companies (member of Coralisle Group) for The Bahamas and Turks & Caicos.


ThisIsOurs 1 year, 10 months ago

Dear Mr Smith, when I can go to a bank or place of business and not have to shout my name, address, phone number, account number transaction details across a counter... only then will I believe anybody in any bank knows what data privacy means and understands the implication of data leaks

nighthawk 1 year, 10 months ago

There is no such thing as data privacy in this country. You can have all the policy you want. Too bad the Punch is gone tho.

Sign in to comment