The data privacy question for financial services firms is how to collect data with customers’ consent, and then protect that data while using it to deliver an enhanced and highly personalised experience. Against this backdrop, there is also the question of what areas of financial services are most in need of new approaches, emancipated from the dictates of privacy legislation.

Listed below are the key regulatory trends impacting the data privacy theme, as identified by GlobalData.

Increase in volume of data privacy regulation

Since the introduction of the General Data Protection Regulation (GDPR) in 2018, more than 60 jurisdictions around the world have enacted or proposed a privacy or data protection law, including Brazil, Japan, Thailand, and various states around the US.

Increased frequency and severity of data privacy incidents

Digital security incidents affecting the integrity, availability, and confidentiality of data stored by financial services providers have become more common and are on the rise globally.

Data privacy policies drive consumer behaviour change

One powerful measure of this was the speed in which many consumers changed to a different messaging app after Elon Musk criticised Meta’s latest privacy policy updates on Twitter. In effect, the updates allowed Meta to have direct access to all and any private messages sent and received from businesses through the platform. While the update did not impact personal messages between friends and family, it nonetheless drove consumer outcry and heightened the distrust of Meta. When Elon Musk recommended users switch from WhatsApp to Signal, app downloads exploded, as did downloads of Telegram, another privacy-focused app.

In the last few months, Apple introduced a pop-up window for iPhones, which asks users for their permission to be tracked by different apps. Soon after, Google introduced plans to disable tracking technology in its Chrome web browser and Meta said in August 2021 that hundreds of its engineers were working on a new method of displaying ads without relying on people’s data.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

New entrants seek voluntarily standards

New entrants are typically less trusted with data than incumbent banks, or non-banks with longer histories. In particular, data aggregators, such as Plaid and Money Desktop (MX) in the US have faced considerable pushback from banks over data security. In response, these firms have set out a host of requirements to address security risks commonly encountered by emerging providers, as part of a newly formed Open Finance Data Security Standard, to be implemented in the second half of 2022.

As part of industry consultations, the leading data aggregator, Plaid, acknowledged that existing data security standards were not designed specifically for modern, cloud-native delivery models or the resource constraints of early-stage companies.

Know Your Data (KYD) role for chief data officer

A key barometer of evolving concerns is the evolution in existing job specifications and the creation of new job titles. We have seen relatively new chief data officer roles evolve quickly from one that focuses on compliance to a far broader mandate to protect the institution from the impact of bad data. This has three aspects: verifying data from its origin through its full lifecycle, scrutinising how it is used to make decisions, and securing and maintaining data to the highest standards. Data intelligence functions are emerging that draw on data science and cybersecurity tools to avoid the possibility that anyone might manipulate data for their own benefit.

Focus on legal basis for data use

Data privacy brings the art and science of consent management into sharp focus, as to use personal data, financial services providers must have a legal basis for doing so, and there are two major types of legal basis. The first is ‘universal and explicitly defined by the regulator’, which includes contract, legal obligation, vital interest, and public tasks. The second is ‘explicit customer consent’, which can be withdrawn by the customer at any time.

Most data-driven innovations using customer data require a customer’s consent, so consent management then becomes a highly strategic issue. The only other way of processing personal data is if personal data is anonymised.

Consent management

It is critical that customer consent is given freely, specific to the data usage intent, and is informed, unambiguous, and can be revoked at any time. Securing customer consent for new services is very challenging, particularly if the customer data will be shared with third parties. It is common for a lack of critical mass with customer consent (opt-in) to prevent an innovative idea from progressing. Emphasis must be placed on the fact that a customer’s consent can be revoked at any time, which means that data governance processes have to be in place to enable the deletion of such data.

Consent management as a function needs to be driven by teams that sit across technology, business, user experience, and compliance—otherwise, the language will be too complex or alienating. To this end, some larger financial services providers have invested in full-time data relationship managers, which work specifically on delivering messages in a way that is not only understandable but also valuable to the end user.

Providers can increase customer comfort levels by segmenting customers by privacy preference rather than assuming a one-size-fits-all policy. Engaging in a personalised way will increase the chance of conversion (or consent). Providers should also make sure their position on privacy is consistent with its overall brand proposition.

Compliance language

Historically, data regulation was about protecting consumers from unauthorised access to their data and misuse. Now with open banking, the focus is on empowering, in using data as a sword. Balancing these two can lead to tensions as well as commonality. For example, despite their different objectives, both Payment Services Directive Two (PSD2) and GDPR hinge on the issue of consent. GDPR mandates that financial institutions cannot process consumer data without consent, which must be obtained under specific conditions.

Predatory lending in unbanked markets

Fintech lending in unbanked markets, where millions are excluded from mainstream financial services due to a lack of account history of credit score, has exploded. But it has created real power differentials between suppliers and customers. These sectors have a growing reputation for taking advantage of customers with limited financial literacy and charging exorbitant rates. These providers have also violated implied privacy laws, by harvesting data from phones, with reports of pressuring debtors by calling friends and family members to embarrass them.

Regulatory limits to ‘platformification’

In September 2021, the UK government published a consultation setting out proposals to relax data privacy rules post-Brexit to encourage data-driven economic growth and innovation. A downgrade in data protection standards will risk losing the adequacy decision granted to the UK by the European Union (EU). Deregulation will also increase legal uncertainty and risks for businesses. Companies that have adapted to comply with the GDPR, risk being burdened with new compliance rules.

Fragmented regulations create uncertainty

China’s centralised Personal Information Protection Law provides a comprehensive set of rules around data protection, similar to that of the EU’s GDPR. While the US still lacks a harmonised privacy regime, calls for federal data protection legislation will increase as state-level regulations are adopted, such as Virginia’s Consumer Data Protection Act, which will take effect in 2023.

Fragmented data privacy regulations within the US and globally will create uncertainty for businesses as they face a range of distinct compliance requirements. The absence of an agreement between the EU and the US on data transfers will add to the uncertainty surrounding the legality of transatlantic data transfers.

Privacy is more than compliance

Privacy is clearly part of compliance, but to have meaningful impact it needs to be infused into the culture of the organisation. Data privacy breaches are often caused by poorly managed access within an organisation. People and processes matter as much as technology and humans are the weakest link in the chain of privacy and security. However, as distributed working proliferates, it is harder to manage user access and secure your sensitive data.

New entrants seek ISO 27001 designations

One important way new entrants can verify they are handling personal data properly is to obtain independent, external certifications for their privacy programme and practices. These include ISO 27701, APEC Cross-Border Privacy Rules, and EU Binding Corporate Rules. These designations can save time and effort in contract negotiations and can be especially important for new entrants working on sensitive, mission-critical activities, like core-system modernisation.

Thought Machine has sought ISO 27001 certification and achieved SOC 2 Type 2 accreditation, which lays out specifications for implementing information security management systems, and demonstrates their internal controls and systems are secure and available for operation. Alongside complying with GDPR, the vendor complies with all relevant data protection laws in other key territories in which it is operational, such as Singapore, Australia, and the US.


Tracking tools such as web cookies and Apple’s Identifier for Advertisers have delivered an unprecedented increase in the sophistication of advertisement personalisation and targeting, but they have also increased the risk of privacy violations. In some jurisdictions, providers may no longer be able to rely on cookies to boost the efficacy of customer outreach. Those institutions that do not figure out a strategy to maintain—and even grow—their access to first-party data may have to spend 10 to 20 percent points more on sales and marketing activities to generate the same returns.

Meanwhile, in the UK, for example, the Department for Digital, Culture, Media and Sport is exploring the possibility of cookies without consent, where it benefits the user and/or limited scope of cookies without consent.

Data storage

Global bank regulations around data security, customer privacy, and ethical use of data such as GDPR are making it increasingly challenging for financial institutions to share data among entities and across borders, to design target state data flow, and to develop meaningful analysis for credit scoring. In addition, data generated by different activities are subject to different legal limitations on use. For example, data from a financial transaction cannot be used for the same purposes as the personal data from a profile on a social media platform.

Meanwhile, the growing amount of data is creating opportunities for many third parties to provide data management services, collecting, cleansing, and combining data,  which creates new liability challenges around the accuracy, quality, and reliability of data amid sharing.

There are also heightened cyber risks; most notably, perhaps, the Equifax breach back in 2017, involving the theft of certain personally identifiable information of US, Canadian, and UK consumers.

This is an edited extract from the Data Privacy in Banking – Thematic Research report produced by GlobalData Thematic Research.