GFMA Financial Data Handling Principles for Banks and Non-Banks
12 February 2019
GFMA Financial Data Handling Principles for Banks and
GFMA has released its Financial Data Handling Principles for
Banks and Non-Banks as a voluntary set of principles drawn from international
best practices. The principles are based on both the U.S. NIST Cybersecurity
Framework and the European Union’s General Data Protection Regulation (GDPR).
The principles recommend that firms should:
- Limit the collection,
processing and use of personal data to that which is necessary to
accomplish a lawful purpose.
- Provide a reasonable
means for data subjects to check and correct the accuracy of personal data
held about them.
- Limit access to personal
data to users on a need to know basis and monitor such access on a
- Protect against
unauthorized or unlawful access to, or removal of, personal data using a
risk-based approach with reasonable technical and procedural measures.
- Use a risk-based
approach to employ appropriate safeguards, such as encryption, when
- To the extent reasonably
feasible, securely eradicate, dispose of, or destroy personal data without
delay when there is no longer a valid business, legal or regulatory
purpose to retain it.
- Only provide personal
data to external entities with data protection policies and procedures
consistent with these principles or where required by law.
- Implement a monitoring
programme designed to identify and resolve data security issues, gaps or
weaknesses; and remediate any issues found.
- After establishing that
a loss or compromise of personal data has occurred, promptly notify
regulators and individuals who have been substantially harmed.
- Work together with other
financial institutions and regulators in exchanging views and intelligence
with a view to continually improving data security.