Protecting privacy and customer confidentiality
We see privacy as a vital component to achieving our purpose and is therefore embedded across all parts of our business. A central privacy team oversees privacy compliance and all business areas have an accountable executive responsible for privacy compliance, supported by a local privacy team. The Group Data Protection Officer oversees awareness, training and reporting to the UK Information Commissioner’s Office, supported by additional country data protection officers.
Our Privacy and Client Confidentiality Policy includes both data protection and client confidentiality. The policy has a defined escalation process for privacy and client confidentiality issues. It also clearly sets out how we manage privacy, client confidentiality and personal data breaches and specifies that anyone breaching the policy can be subject to disciplinary action. All our customers, colleagues and third parties can therefore be confident that we treat protection of their data with the utmost seriousness. NatWest Group provides updates to senior management on privacy and client confidentiality, including at Board level and to the Group Board Risk Committee. Updates and reminders are also provided through internal communications to ensure privacy is at the forefront of all of our colleagues’ minds.
NatWest Group has adopted a layered and accessible approach to providing privacy information, as recommended by the UK Information Commissioner. We present an overview of our approach to data protection and privacy on our website and these pages are constantly reviewed so they are up to date and accessible to users across all digital platforms. We also aim to have marketing preferences that adequately reflect customer wishes.
Data transfers and collaboration
We’re continually refining our systems to comply with the General Data Protection Regulation (GDPR), the UK Data Protection Act and other local legislation. We factored in the impact of Brexit and UK & European case law on our privacy obligations and cross-border data flows. In addition to this, we have a close relationship with regulators and industry bodies as appropriate. Our privacy teams are in regular contact with other internal teams to assist with initiatives such as to support victims of financial crime.
Privacy and client confidentiality training
All colleagues and contractors are required to undertake annual mandatory privacy and client confidentiality training. Each year, we also engage with our suppliers to understand the privacy governance arrangements they have in place (including policy, mandatory procedures and training and awareness) and review the responses to ensure that satisfactory controls exist.
Training topics include:
- What the bank’s privacy and client confidentiality obligations are. – Privacy considerations for new projects, systems and so on.
- How colleagues should recognise and respond to requests from individuals to exercise their data rights.
- What to do in the event of a breach.
The privacy and client confidentiality training module is updated annually, with new topics and learnings from the previous year. Job-specific training is provided as necessary for colleagues based upon their job roles, for example job specific training on redactions for the Subject Access Team. The bank uses internal checklists intended to guide the best decision making, and the safe use, storage and sharing of information, which include the YES Check and Info SAFE checklists.
‘Info SAFE’ is used to support our AI and machine learning strategy via ‘fairness assessments’ of models, in addition to the checklist questions below which are relevant for all colleagues across NatWest Group when they deal with customers’ or colleagues’ data. The Info SAFE checklist asks the following questions:
Privacy by design and default
New data-driven innovation brings opportunities to build systems using fundamental privacy principles such as ‘privacy by design’ and ‘default’. The privacy teams work closely together to ensure fundamental privacy concepts are implemented and to ensure consistency across the bank. Privacy impact assessments are also carried out to ensure that privacy risks are identified and minimised as early as possible.
Regulator communications and data subject rights
NatWest Group has specialist teams who respond to queries relating to data-subject rights. Data-subject access requests have remained relatively steady following the GDPR rules that came into force in May 2018, with a low volume of requests concerning other data subject rights.