Data Privacy is a basic human right – so how do banks protect and serve their customers?

banking data privacy regulations

Impact of new data privacy regulations in banking

Overview of Banking Privacy Regulations

According to a 2020 study published by KPMG, 87% of consumers say data privacy is a basic human right. Because of this, Governments across the world have recently started to pass laws to strengthen data privacy and security measures. These laws help control how our data is being collected, how this data is being used and how it is being managed and protected by any third-party organisations that we have entrusted to look after our data.

Europe took the first big step in 2018 with the General Data Protection Regulation (GDPR). Slowly but surely a number of jurisdictions in the United States are following similar paths with the CCPA in California in 2020 and the CDPA in Virginia, which is due to come into effect in January 2023. The rapid speed of change in the digital era creates challenges for the regulators in terms of keeping up with new technologies and practices. Europe is once again leading the charge with the proposed ePrivacy Regulation, which is currently scheduled to come into law in Europe in 2023. These new privacy laws are designed to further strengthen the protection of EU citizens’ private data and by extension their private lives. It has also of course had an impact on the way in which Banks store and use customer data. Regulatory frameworks are key drivers of transformation for the financial industry.

The Importance of Consent

If there is one key principle that is at the heart of all of the new banking regulations it is that of consent. Going forward, it is imperative that financial institutions have asked each customer for their consent to send them marketing messages or to use their data in certain ways. Aligned to this, there are seven principles set out under the EU Data Protection Directive by which companies in the UK and Europe must abide.

When data is being collected:

  • The user must be given notice
  • They must know the purpose for which the data is collected
  • User consent is needed
  • The user must know who is using their data
  • They must have access to this data so they can change it if it’s inaccurate
  • They must be assured of their data’s security and…
  •  If it is misused, there will be accountability.

In Europe, financial services firms such as banks, building societies and credit unions must also follow the rules of the Privacy and Electronic Communications Regulations (PECR) if they want to send out marketing emails and SMS messages. Banking Privacy Laws require consent if a financial service is looking to SMS or email an individual customer or a sole trader. On all these emails and SMS’, the bank or credit union must include their own name and a way in which the contact can opt out of future communications.

Data Protection & Legitimate Interest

There is also the potential to use legitimate interest as a basis for communicating with your customer. Under GDPR Article 6(1)(f), it is stated: “(where) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”

Legitimate Interest is one of six lawful bases for processing data. In order to process someone’s personal data, you must have a lawful basis that follows the ‘lawfulness, fairness and transparency’ principle. This means the method of collection and use of data must be legal, it must be used in ways that people would reasonably expect and not in ways that have unjustified adverse effects on them and in a clear, open and honest fashion.

Examples of legitimate interest include but are not limited to, use of client and employee data, marketing, fraud prevention, intra group transfers and IT security. The following questions on data collection and use can help determine legitimate interest. What is the purpose of the data collection? Is the data processing necessary for the company’s primary purpose? Do the individuals interest outweigh the legitimate interest?

No more Cookies for you!

One of the other key data privacy changes that is coming down the track is the significant restrictions on the use of the tasty sounding, but potentially much more nasty, little marketing snack – the Internet Cookie. Third-party cookies are hosted by an ad server and primarily record a user’s behaviour and path on the internet in order to subsequently create a user profile. They collect marketing-relevant information such as age, origin, gender, and user behaviour, and through this collection, they have been key elements of an online marketers toolkit, especially for personalised advertising.

Currently most people don’t recognise what data is being collected as they browse the web looking for a car loan or insurance product. Typically, providers of these financial products are able to follow-up with targeted ads to encourage the customer to ‘click through’ and hopefully sign up for their product. Due to the growing distrust of third-party cookies from users and the impact of the new regulations, their use is already blocked by some providers such as Apple and will soon be blocked by most other popular browsers. The driver for this change is similar to the goal of GDPR; users are looking for greater privacy, they want more transparency, choice and control over how their data is used.

Data Collection Alternative

So what other marketing nibbles can you offer the customer once the cookie jar has been sealed for good? With the demise of the cookie, marketers working within the financial sector are going to have to lean more heavily on their ‘first-party’ data in order to deliver relevant and targeted information to their customers and prospective customers. First-party data is essentially the data that you already have about your customers which can be augmented by asking them questions and collecting the preferences on your own websites and properties.

This is where Banks and Credit Unions have a real opportunity as they already ‘own’ a significant amount of information about their customers which, if used properly, can be used to offer the appropriate products and services.

A simple example that we have seen work well with our Credit Union customers is the use of different promotional messages based on four different ‘age stages’ – each member is placed into a segment based on their age which has been calculated using the date of birth field from the core banking system. The marketing messages that are sent out are targeted at each ‘Age Stage’ with different messages, images and offers to appeal to each particular segment.

Another obvious example would be offering a car insurance product to a customer that has recently had a car loan approved – all of this can be done based on the data that already exists within the core business systems of the financial provider.

Harness the Data: Data Privacy Advice from CustomerMinds

Whilst all these regulations and changes inevitably create challenges for banks and other organisations in the financial sector the trick is to identify the opportunities within this new data privacy environment. Harness the data and technology that is available in the correct way to engage safely and securely in a digital manner with your customers and potential future customers.

We have compiled the following key data privacy points for you to consider as you look to navigate the turbulent water of data privacy and customer communications:

5 Key Data Privacy Points

1. Make sure that your communications platform provides a central view of your customer data

2. Check that your systems provide automated processes to handle consent collection and management including full audit capabilities for Data Subject Access Requests (DSARs)

3. Consider offering a series of digital welcome journeys to get to know your new customers from the start and to identify their needs and preferences

4. Consistently communicate leveraging your brand and ‘tone of voice’ to build a trusting relationship with your customers – and ask them what they are looking for from their bank or credit union

5. Personalise and target all of your messages based on the data (and the consent) that you have collected throughout your ‘customer’s journey’ with you as their banking provider

Which50 Platform for Data Management and GDPR

The Which50 customer communications platform has built-in features to address the ever-changing security environment for data management and technology systems. It has been designed and developed with best-practice security and data management functionality to protect our clients customers. In an era of GDPR Compliance, FSQS, and ISO 27001, this focus on data security has never been more important. If you would like to read about how the Which50 platform can be a solution to the challenges and opportunities discussed above, check out our website right here: Data Management and Security | Which50 | CustomerMinds