Financial institutions are in a unique spot when it comes to consumer privacy rights. Because the US currently relies on multiple laws governing data privacy across industries (as opposed to one federally maintained one), financial services companies must consider overlapping mandates that affect how they can store, use, and transmit data. The largest commercial banks are in every state, meaning that these institutions not only have to adhere to industry mandates, but also newer state-level mandates. There are currently three statewide consumer privacy laws that companies need to comply with in California, Colorado, and Virginia.
A recent study from Accenture found that one third of financial services firms don’t have clear plans to address privacy risks. And, given the recent push to create consumer-centric services in all parts of business, it’s essential that banks and other financial institutions stay on top of ever-changing data privacy regulations to avoid costly lawsuits and potential data breaches. Some of these requirements include giving consumers full insight into how their data is being used, only holding onto data that is actively serving a purpose, and controlling who can see what data in the organization.
So, how can financial institutions ensure they are complying with all the relevant regulations for their business? Our ebook, Balancing Consumer Privacy Rights with Data Communication Needs: Five Factors to Consider in Commercial Banking, discusses which specific regulations banks need to comply with, along with the key things to consider when building out a consumer data protection strategy—from knowing where your data is located to being ready to respond to consumer requests to hand over or delete data.
Five Tips for Protecting Consumer Data
Here’s a sneak peak of the five tips financial institutions need to consider to keep consumer data safe:
- Evaluate what data you need to keep: One of the reasons banks are at a high risk for a data breach is because they possess some of the most sensitive, personal information: financial records like bank account numbers and statements, personally identifiable information (PII) like Social Security numbers, and so much more. Financial organizations should only be collecting the consumer data that they have a specific use for, and once the data is no longer needed, it should be securely stored for the appropriate amount of time, then destroyed properly.
- Locate where data is being stored: While many financial organizations store data in the cloud, they may also have data stored in other places like databases, data repositories, data lakes, and endpoints. Therefore, it’s important to always know where all your data is, so you can apply the appropriate means of protection such as encryption or masking. After all, it’s hard to protect what you don’t know you have.
- Determine how you can interact with data: Sometimes, the type of protection that data needs is dependent on who is accessing it. A masking solution allows an organization to protect personally identifiable information (PII) while still leaving its usability intact, which is necessary for various purposes. For example, bank account numbers are typically masked to protect the consumer, but not allowing anyone to work with them might be counterproductive to business.
- Keep track of multiple mandates: Satisfying data privacy regulations isn’t a one-size-fits-all approach. With companies now having to comply with different state regulations, along with the European Union’s General Data Protection Regulation (GDPR) for any business done in Europe, it’s important to have a compliance strategy that suits all necessary mandates. Automating this process can provide ongoing discovery, protection and reporting services, and suit the needs of all regulations—no matter where your company is located or does business.
- Make sure consumers are aware of their rights and respond appropriately: Consumers are starting to become more aware of their data rights as new laws are passed. Giving them complete visibility into how they can contact you to see where their data is stored and how it’s used will create both transparency and trust. It will also make it easier to respond to a data subject access request (DSAR), in which consumers can revoke your right to access, use, or store their data. This is mandatory by some laws such as the California Consumer Privacy Act (CCPA).
Read our full ebook to learn more about these tips and how commercial banks can go about being fully compliant with the ever-changing privacy landscape. We also break down which relevant regulations banks should take into account and how an end-to-end compliance strategy is necessary for all areas of the business.
PKWARE provides all the automated data security tools needed for compliance and complete data protection such as encryption, masking, discovery, classification and more. Seven out of the 10 leading financial services organizations in the world trust PKWARE to secure their data and comply with all industry standards. See how we can assist with your compliance strategy by requesting a free personalized demo.