GFMA has released its Financial Data Handling Principles for Banks and Non-Banks as a voluntary set of principles drawn from international best practices. The principles are based on both the U.S. NIST Cybersecurity Framework and the European Union’s General Data Protection Regulation (GDPR).
The principles recommend that firms should:
- Limit the collection, processing and use of personal data to that which is necessary to accomplish a lawful purpose.
- Provide a reasonable means for data subjects to check and correct the accuracy of personal data held about them.
- Limit access to personal data to users on a need to know basis and monitor such access on a periodic basis.
- Protect against unauthorized or unlawful access to, or removal of, personal data using a risk-based approach with reasonable technical and procedural measures.
- Use a risk-based approach to employ appropriate safeguards, such as encryption, when transferring data.
- To the extent reasonably feasible, securely eradicate, dispose of, or destroy personal data without delay when there is no longer a valid business, legal or regulatory purpose to retain it.
- Only provide personal data to external entities with data protection policies and procedures consistent with these principles or where required by law.
- Implement a monitoring programme designed to identify and resolve data security issues, gaps or weaknesses; and remediate any issues found.
- After establishing that a loss or compromise of personal data has occurred, promptly notify regulators and individuals who have been substantially harmed.
- Work together with other financial institutions and regulators in exchanging views and intelligence with a view to continually improving data security.