Financial Crime World

Forgetting Is Not an Option: Organizations Must Ensure Data Protection Mechanisms in Place

============================================================

In today’s data-driven world, protecting personal information has become a top priority for organizations. With the rise of open banking and increasing cyber threats, it is crucial that companies ensure they have the mechanisms in place to meet requests from data subjects to forget their personal data.

Meeting Regulatory Requirements

As per regulations, data controllers are responsible for maintaining consent, withdrawal of consent, and sharing of all personal information. Organizations must:

  • Map end-to-end data flow to demonstrate understanding of how data flows across different business functions and technology components, as well as who has access to it.
  • Agree on the identification, classification, protection, retention, and destruction of client records with data processors and third parties involved in the data’s lifecycle.

Aligning Policies with Regulatory Requirements

Organizations must also align their policies with regulatory requirements, particularly when developing advanced analytics engines, AI, and machine learning capabilities that gain insights from data.

Key Considerations

  • Data portability: organizations must be capable of moving data quickly at a data subject’s request.
  • Process for dealing with data breaches or incidents: vital in today’s world where cyberattacks are becoming increasingly common.
  • Cybersecurity: the importance of cybersecurity cannot be overstated, as a successful attack can have a major impact on an organization’s reputation and finances.

Adapting to Changing Business and Regulatory Landscape

Organizations must consider:

  • The evolving business and regulatory landscape, including the Office of the Superintendent of Financial Institutions’ (OSFI) Draft Guideline B-13, Technology and Cyber Risk Management.
  • Consumer expectations: changing post-pandemic, with increased use of technology and readily available information.

Developing Security Resilience Programs

Organizations must develop security resilience programs using industry-leading practices related to specific threats potentially impacting their businesses. This includes:

  • Investing in technology or partnering with third-party vendors to strengthen resilience while remaining scalable.
  • Establishing practices to govern data stewardship, ethics, transparency, privacy, and protection.

Conclusion

In conclusion, forgetting is not an option for organizations operating in today’s data-driven world. Ensuring mechanisms are in place to meet requests from data subjects to forget their personal data is a top priority. By developing a comprehensive risk management framework that incorporates:

  • Privacy and consent management
  • Data risk
  • Security risk
  • Business risk
  • Third-party risk

Organizations can develop a scalable and sustainable roadmap for open banking.