How to Ensure You Are Protecting Customer Data in the Financial Services Sector

Share this post

Data has become incredibly powerful for financial services companies, who are increasingly using technology to mine it for insights and opportunities. But with great power comes great responsibility, and the protection of customer data has become a core regulatory requirement for firms operating in the UK, Ireland, and across the EU.

We recently held a webinar on this topic with fscom experts Nick Gumbley (Associate Director) and Will Finn (Senior Manager). In this blog, we summarise their advice on what companies need to know about regulations on customer data, and how they can set up a framework to meet these challenges head on.

The global spread of data protection regulations

Data protection has landed firmly on the regulatory agenda in recent years. The EU’s General Data Protection Regulation (GDPR) was formally introduced in the EU and the UK in 2018. After Brexit, the UK’s regime shifted to the UK GDPR and Data Protection Act 2018 ­­­– which has subtle differences but ultimately very similar provisions. The regulations have three aims:

  1. To protect individuals’ data.
  2. To provide them with a mechanism to seek recourse if they believe their data has been used illegally or in a way they didn’t agree to.
  3. To allow companies to use data as more opportunities present themselves by creating a framework around it that protects customers’ rights.

Firms in the UK answer to the Information Commissioner’s Office and Financial Conduct Authority, while Irish firms are accountable to the Central Bank of Ireland, the Data Protection Authority of Ireland and EU and EEA regulators. But companies are also expected to respond to two important groups:

  1. Individuals: GDPR empowers individuals by making clear that they own their data and giving them legal rights to ensure businesses are using their data transparently and for legitimate purposes. Individuals can complain to national authorities and make subject access requests or right to be forgotten requests.
  2. Organisations: When a company signs contracts with clients, these will include clauses around data protection, information security and data privacy which must be delivered on.

The costs of failing to protect customers’ data

After four years of GDPR, it’s already clear that the regulations have teeth. Over 1,000 fines have been issued under the EU regulation, including an eye-watering €746 million fine for Amazon in July 2021. Financial services companies have been targeted, such as a €463,000 fine for the Bank of Ireland for errors impacting the creditworthiness of data subjects, delays in informing these individuals, and lack of appropriate organisational and technological measures around their data.

Even where fines have been smaller – the regulations are applied proportionately after all – companies still suffer reputational damage from a breach. This is especially true in financial services, where High-Net Worth Individuals will be quick to withdraw their business if they lose confidence in how their data is handled.

How can companies protect customer data?

Companies need to put in place the right processes around their use of data. The UK GDPR says data protection should be implemented by design and by default, which means data protection and privacy should be built into every step of every action that involves processing personal data.

We recommend five practical steps to improve your handling of customer data:

  1. Business overview: You should gain an end-to-end understanding of what processing of data occurs across the services you deliver to customers, including those carried out by third parties. Undertake a data privacy impact assessment (DPIA) to identify and manage risks to customer data when launching a new product.
  2. Review existing documentation: Firms have hundreds of documents relevant to data protection and a discovery exercise can capture them into a single inventory. This also meets the UK regulator’s expectation that firms should populate a record of their data processing.
  3. Validate findings: Companies should develop a data classification scheme which communicates to all employees what kind of customer data needs to be protected. This should be kept simple with a small number of categories of data (from restricted to public), and accompanied by clear guidance on how to handle each type and training for key staff.
  4. Update policies and procedures: Based on the findings in the previous three stages and the regulations, companies should update their policies and procedures around data and present them to the company and its third parties.
  5. Learn lessons: The compliance exercise should be documented along with lessons learned, and these should be periodically reviewed and updated. DPIAs can help to assess compliance on an ongoing basis.


In our extensive experience advising clients on data protection, we recommend paying particular attention to:

  • Third parties: Firms should engage with third parties who are helping to process customer data at every stage of their relationship to ensure their compliance.
  • Governance: Clearly define who in the organisation is accountable for managing data protection. This ensures firms meet, for example, obligations to respond to Subject Access Requests in a timely way.
  • Incident management: Companies need an effective incident and privacy breach detection regime. The IT and information security function in a firm should work closely with the data protection officer on this.
  • Regulatory changes: GDPR is just the start of a new regulatory approach to protecting and overseeing the use of customer data, and firms need to stay on top of developments as they arise in the future. There are some differences between the EU’s and UK’s regulations, particularly around the age a child can consent to data processing and companies’ ability to process personal data, and firms should watch for future divergence.
  • Services: The protection of customer data should be front of mind when designing and launching a new product or service, and data should be deleted or returned to customers when a product is retired.


You can read more about fscom’s advice on data protection on our website. We can help companies to manage data protection requirements and cyber risk. Contact us today for a free consultation.

Article by FScom

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?