What Financial Institutions Need to Know About Processing Private Data

By on

Click to learn more about author Tejasvi Addagada.

A financial institution that is governed by a customer data protection regulation like GDPR in the European Union, CCPA in California, or the upcoming PDP in India must have a valid, lawful basis to process personal data from prospects and customers along with customer private data from aggregators or vendors.

The first action is to recognize what data processing happens within an enterprise. The second move is to further understand the purpose for which the private data is being processed, like “Opening of a Customer Account.” Mature institutions might have data processes documented in the form of data flow diagrams. But in enterprises where this knowledge is not documented, curating processing purposes can be a steppingstone to start an exercise to document data processes and the purpose for which data is processed.

Banking Industry Architecture Network (BIAN) approaches a banking landscape by functionally breaking the landscape into a collection of non-overlapping, unique, functional building blocks. These blocks are called service domains. For instance, a financial institution can design campaigns based on prospects, leads, or customers expressing interest in a product like a mortgage. The general processing activities in marketing can include service domains like product matching, promotional events, prospect campaign management, prospect campaign design, customer campaign management, customer campaign design and prospect or customer campaign execution. These domains do not overlap with each other and have a clear functional capability along with a data processing capability and a purpose. The accountability of each service domain can also be distributed across divisions like marketing, sales and product groups.

Properly setting up the service domains, associated data processing, and purpose of data processing is thereby a lawful basis to process personal data and avoid the risk associated with recording a wrong purpose. A general guidance is to not swap to a different purpose or lawful basis for processing later. Likewise, the institution cannot usually swap from consent as a lawful basis to a different basis later. At the outset, even the privacy notice should include appropriate lawful basis for processing as well as the purposes of the processing. BIAN, a crowd-sourced standard, can be used to guide purpose identification of customer data processing in banks with more accuracy.

Leave a Reply