DATA PROTECTION: THE LATEST TEST FOR FINANCIAL INSTITUTIONS?

by | Dec 2, 2020 | Newsroom | 0 comments

Data protection has become a hot topic nowadays due to numerous high-profile security failures from established and high-profile companies.  There are growing concerns about how these companies are using the personal data they collect and the extent to which they are able to protect the privacy of their customers.  Data privacy concerns have become particularly paramount for companies in the financial services sector since banks and other financial institutions collect and manage a large volume of sensitive information about their customers during the on-boarding process.  Personal identifiable information such as names, addresses, e-mail ids, contact, account numbers, bank statements and credit/debit card numbers are captured and the breach of these information can have dire consequences.

Data privacy problems arise when employees, security officials, and others tasked with protecting sensitive information of customers fail to observe and provide adequate security protocols.  Many times, employees may become careless about leaving the credentials and details of their customers at home or in public places or whenever they talk to their friends and families.  These lapses allow opportunists, especially hackers, an easy access to the customer’s private details and may misuse these details for their own benefits.  These opportunists may leak sensitive details of the customers on social media or to the press, especially if the latter are high profile individuals.   In other cases, customers are blackmailed, extorted or simply have their bank and credit/debit card accounts hacked.

 

The EU General Data Protection Regulation (The GDPR)

The General Data Protection Regulation (GDPR) is a broad-based privacy regulation passed in May 2018 by the European Union (EU) with the intent to create a consistent framework for the handling of personal information throughout the European Union and to impose obligations onto organizations around the world while they target or collect data related to people in the EU.   The GDPR lays out the basic premise that individuals should have control over their own data and places new restrictions on financial institutions and other organizations seeking to store, process or transmit that data. The GDPR creates two categories of personal information that companies must protect.  The first broad category is simply “personal data,” which is defined in GDPR Article 4 as “any information relating to an identified or identifiable natural person.” This includes virtually any data collected about a person that can be somehow linked back to that person, even if it doesn’t have a clear identifier.

The second, and more restrictive category, consists of data elements that fit into the “special categories” of personal data defined in GDPR Article 9.  These include information about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.  This category also includes genetic and biometric data and information about a person’s sexual activity or orientation.  Organizations are prohibited from collecting or processing this type of information unless the use fits within one of 10 narrowly tailored exceptions.

Additionally, the GDPR sets out seven key principles for the lawful processing of personal data:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

 

Data Protection in Mauritius

As a major financial hub and attractive offshore jurisdiction for investors, the data protection laws in Mauritius were amended to be in line with the GDPR, by virtue of the Data Protection Act 2017 (‘DPA’).  On the 8 December 2017, the Mauritian Assembly passed The Data Protection Act 2017 (‘DPA’), repealing The Data Protection Act 2004 (‘the 2004 Act’).  The DPA obtained the President’s assent on 22 December 2017 and was published in the Government Gazette on 23 December 2017.  The DPA came into force on 15 January 2018.

The objective of the DPA was guided by the founding principle enshrined in the GDPR, being the protection and safeguard of privacy rights of individuals insofar as the processing and storage of personal data is concerned.  The new provisions of the DPA ensure lawfulness, fairness and transparency such that individuals are well informed and afforded protection for the confidentiality of their personal data in order to reduce the growing risks of data leaks.  Additionally, the major overhaul brought by the DPA was in the form of:

  • Simplified and structured registration and renewal process of data controllers and processors;
  • Implementing a complaints’ mechanism;
  • Lawful processing of personal data;
  • Consent requirements of data subjects in order to process data;
  • Extensive rights afforded to data subjects in terms of consent, rights of access, automated individual decision making, right to object to processing of personal data, rectification of incomplete or inaccurate data;
  • Safeguards imposed for the transfer of personal data outside the jurisdiction of Mauritius in terms of notification requirements to the Commissioner, limited and selective data transfer in view of specified purpose;
  • Improved digital legal landscape to respond to GDPR requirements for adequacy;
  • Minimised risk of data breaches and notification requirements of any data breach;
  • Wider interpretation of ‘data’ to include biometric and genetic data;
  • Security of data processing by way of encryption and pseudonymisation of personal data;
  • Data Protection Impact Assessment in order to identify and mitigate the data protection risks;
  • Offences and penalties imposed for non- compliance with the DPA.

 

Setting up a Data Protection Framework

Financial institutions and organizations around the world must comply with the GDPR while doing business in the European Union or with EU residents. While most financial organizations already have privacy practices due to existing laws and regulations, GDPR compliance still requires the attention of security and privacy professionals to ensure that their organizations remain on the right side of the law.

The key to the successful implementation of any data protection framework lies in winning the trust of customers through a well-defined data security architecture.  Financial services organizations will have to overcome a number of challenges and adopt a structured approach while implementing data protection practices.  They will need to:

  • Define and roll out a robust governance model to implement data privacy programs
  • Review current capabilities of information systems, remediate and roll out upgraded information security systems
  • Assess current policies, procedures and frameworks
  • Appoint data protection officers
  • Create awareness across functions within the organisation on data protection
  • Conduct privacy assessments regularly as and when new products /processes are launched
  • Appoint experts to conduct regular cybersecurity and data protection audits

 

How can we help you?

With a team of professionals with niche expertise in legal and compliance matters, Temple Consulting Ltd can assist you in the design and implementation of a data protection framework.  We assist our clients in building and sustaining privacy and data protection programs that address regulatory requirements and industry best practices.

We have worked with organizations of various sectors in Mauritius and have helped them to:

  • Understand the regulatory requirements and applicable industry guidelines.
  • Identify and document risks.
  • Design customized privacy and data protection programs.
  • Develop and execute a plan for optimal implementation of a privacy and data protection program, including initial and ongoing employee training and awareness initiatives.
  • Ensure sustainability and effectiveness of the privacy and data protection program though monitoring and testing.

 

Additionally, Temple Professionals Ltd provide tailor-made in-house training as well as public courses on data protection and its various legislative requirements.

To know more, kindly get in touch with us on (+230) 210 3588 or templeconsulting@templegroup.mu

Submit a Comment

Your email address will not be published. Required fields are marked *