GDPR: Data Privacy Laws in Financial Services

Perficient Data & Analytics

My previous blog post addresses the reasons for the regulation and the requirements associated with the New York State Department of Financial Services (NYDFS) 23 NYCRR 500. In this blog, I am addressing the General Data Protection Regulation (GDPR) and all the regulations that come with it. The General Data Protection Regulation (GDPR) is a European Union (EU) regulation on data protection and privacy for all individuals within the EU. Data Protection Officer.

NYDFS 500 and GDPR in Financial Services – Actions to Take Now

Perficient Data & Analytics

My previous blog focused on addressing the General Data Protection Regulation (GDPR) and all the regulations that came with it. In my final post of this series, I want to outline the actions you can take to remain proactive with data privacy laws surrounding NYDFS 500 and GDPR. Companies will need to navigate the interconnected pieces of their organization, understand the history and lifecycle of their data, and work closely with regulators to ensure a successful outcome.


Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

NY Department of Financial Services Issues Guidance to Regulated Entities Regarding Cybersecurity During the COVID-19 Pandemic

Hunton Privacy

On April 13, 2020, the New York Department of Financial Services (“NYDFS”) issued guidance (“April guidance”) to all New York State entities covered under NYDFS’s cybersecurity regulation regarding assessing and addressing heightened cybersecurity risks due to the COVID-19 pandemic.

NY Charges First American Financial for Massive Data Leak

Krebs on Security

In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. First American Financial Corp. First American’s stock price fell more than 6 percent the day after news of their data leak was published here.

Striking a balance between security and usability of sensitive data

OpenText Information Management

Last year, the number of personal records exposed by cyber attacks on the financial services industry was an incredible 446,575,334 – more than triple from the year before. The financial and reputational damage from these data breaches can be immense.

Singapore Parliament Passes Personal Data Protection Act

Hunton Privacy

On October 15, 2012, the Singapore Parliament passed the Personal Data Protection Act 2012. The new law will apply only to data processing in the private sector as data processing by public agencies (or organizations acting on behalf of public agencies) are already subject to internal government rules. In addition, the bill does not impose a generally applicable data breach notification requirement. New Personal Data Protection Commission.

COVID-19 Interest Rates Present Mortgage Industry Challenges


For mortgage lending and other financial services work, security issues can be particularly challenging. Mortgage files contain sensitive personal data. Financial Services COVID-19 interest rates low interest rates remote work

Improve your data relationships with third parties


Seizing an opportunity to improve data relationships with third parties. Regulators are focusing on the data relationships financial services organizations have with third parties, including how well personal information is being managed.

Grove Pension Solutions fined £40,000 for PECR violation

IT Governance

The organisation hired a data protection consultant for advice , and ran its plan past an independent data protection solicitor. . The ICO’s d irector of i nvestigations and i ntelligence , Andy White , said : “Spam email uses people ’ s personal data unlawfully, filling up their inboxes and promoting products and services which they don’t necessarily want. . “We EU GDPR Financial Services Data management PECR

Establishing a California Consumer Privacy Act Compliance Program

Perficient Data & Analytics

Document the process, data, and technical requirements. Customer personal data current state analysis. Changes to process and data flows. Consolidate the consumer personal data. Changes to data retention and deletion processes. Develop the approvals and workflows to manage customer personal data. Data security upgrades.

Getting Started with California Consumer Privacy Act Compliance

Perficient Data & Analytics

Compliance with the CCPA requires robust processes for identifying, governing, distributing, and securing consumer personal information. The first steps are to document the current usage of this information: Data inventory: Generate lists of personal data related to clients, investors, employees, counter parties, prospects and other entities. Data policies: Review current policies to process, retain and delete data.

NYDFS Settles with Mortgage Company for Data Breach

Hunton Privacy

On March 3, 2020, the New York Department of Financial Services (“NYDFS”) announced it had entered into a settlement with Residential Mortgage Services, Inc. (“RMS”) Cybersecurity Enforcement Financial Privacy U.S.

Expect Challenges with the California Consumer Privacy Act

Perficient Data & Analytics

Compliance with the CCPA will be challenging because it represents major changes in how financial institutions conduct their business. DATA DISPERSION. Consumer personal data is often scattered across multiple internal platforms and shared with many third parties. Firms use consumer personal data to identify and qualify prospects, cross-sell and up-sell to existing customers, and create targeted outreach messages.

Perficient Helps Adjust to the California Consumer Privacy Act

Perficient Data & Analytics

The first step any financial institution must take in its response to the new CCPA law is to evaluate its exposure and current state of readiness. Analysis: Identification of critical process and data gaps, implementation or reinforcement of governance processes, documentation of requirements. Implementation: Technical services to consolidate customer data, develop governance and approval workflows, and make infrastructure upgrades. Perficient + Financial Services.

Is Your Customer Experience Future-Ready?


How do you ensure security and privacy while personalizing the customer experience? Modern enterprise-wide customer data platforms with Customer 360 present a real-time single customer view to all the business teams to ensure consistent omnichannel customer experience. It is an ongoing activity, constantly responding to the changes in market and customer expectations, new products and services, and technology evolution. Ankur Gupta, Sr. Product Marketing Manager, Reltio.

These 3 GDPR Requirements You Must Support Today are Nothing Compared With What’s Coming


On May 25, 2018 GDPR (General Data Protection Regulation) went into effect. The primary objectives of the GDPR are to give control back to their EU citizens and residents over their personal data, to simplify the regulatory environment for international business, and to unify regulations within the European Union. Consumer personal data collected within your company is often distributed to multiple systems and organizations, resulting in duplication.


Cybersecurity Standards for the Insurance Sector – A New Patchwork Quilt in the US?

HL Chronicle of Data Protection

Major data breaches in recent years are spurring state legislators and regulators across the US into action. For example, the New York Department of Financial Services (‘NYDFS’) in March 2017 issued its Cybersecurity Regulation (23 NYCRR 500) (‘the NYDFS Cybersecurity Regulation’), a groundbreaking and far-reaching regulatory regime focused on financial institutions licensed in New York, including insurance companies.

The UK ICO’s Regulatory Sandbox Points to a Future of Pro-Active Engagement

HL Chronicle of Data Protection

As companies continue to grapple with interpreting how the GDPR’s principles apply to their own businesses, in particular contexts, there is a growing need for data protection regulators to provide clarity on the practical application of the regulation. The ICO intends to use its own Sandbox to support organisations that are looking to use personal data in innovative ways through the use of new technologies and approaches.

California Consumer Privacy Act: The Challenge Ahead — Introduction to Hogan Lovells’ Blog Series

HL Chronicle of Data Protection

privacy laws which generally focus on specific sectors or issues, the CCPA applies broadly to businesses that collect personal information about California residents and aims to create significant new consumer privacy rights. Effective immediately, the CCPA preempts local laws regulating the collection and sale of consumer personal information by businesses. Clinical trial data exception. The CCPA’s private right of action is limited to data breach violations.

CIPL and AvePoint Release Global GDPR Readiness Report

Hunton Privacy

On November 9, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP and AvePoint released the results of a joint global survey launched in May 2016 concerning organizational preparedness for implementing the EU General Data Protection Regulation (“GDPR”). Telecommunication and technology companies were the most represented respondents, followed by insurance and financial services companies, as well as pharmaceutical and healthcare companies.

Ireland & UK: Latest trends in data subject access requests in pending litigation

DLA Piper Privacy Matters

As individuals become more aware of their rights under data protection law, data subject access requests ( DSARs ) are an increasingly frequent concern for organisations both large and small. Approach of the Irish Data Protection Commission.

EU’s possible Data Act: What can we anticipate from the Inception Impact Assessment and the Consultation?

Data Protection Report

The European Commission (EC) signalled plans for a new Data Act, to be published in late 2021, in its February 2020 Data Strategy Communication. What is the objective of the possible Data Act? Lack of legal clarity on who can do what with data (for example, co-generated data).

B2B 82

DLA Piper Privacy Matters - Untitled Article

DLA Piper Privacy Matters

NETHERLANDS: Dutch Data Protection Authority received record amount of data breach notifications in 2018. Earlier today, the Dutch Data Protection Authority ( Autoriteit Persoonsgegevens ) issued a press release stating that it received 20,881 notifications of data breaches in 2018. In comparison to 2017, the amount of data breach notifications has (more than) doubled.

Assessing the Impact of the Barbados’ Proposed Data Protection Bill on the Barbadian Private Sector

Data Matters

*Jan Yves Remy is a former Sidley Austin Associate and now serves as the Deputy Director at Shridath Ramphal Centre for International Trade Law, Policy and Services at the University of the West Indies in Barbados. Today, more than 120 countries have privacy and data protection laws or regulations in place. Many of the new or modernized laws tend to be based on comprehensive legislation, rather than sectoral rules, as data needs to move across industry groups and borders.

NEW TECH: How ‘cryptographic splitting’ bakes-in security at a ‘protect-the-data-itself’ level

The Last Watchdog

How can it be that marquee enterprises like Capital One, Marriott, Facebook, Yahoo, HBO, Equifax, Uber and countless others continue to lose sensitive information in massive data breaches? Related: Breakdown of Capital One breach The simple answer is that any organization that sustains a massive data breach clearly did not do quite enough to protect the data itself. Here are key takeaways: Security benefits Protect the data itself.

What (currently ignored) privacy area might result in early enforcement action when the GDPR is in force?

Data Protector

We have 480 days to go before the General Data Protection Regulation is “in force”. But it will undoubtedly lead to greater unease amongst the audit committees of many firms, particularly those in the (regulated) financial services sector, who will note, from the data protection compliance reports that have been commissioned, the difficulties that are being encountered in ensuring that sufficient evidence is available to demonstrate how the organisation complies with the GDPR.

GDPR 131

China: Navigating China episode 16: New data lifecycle guidelines for financial institutions in China – detailed assessments, additional security measures and some data localisation introduced

DLA Piper Privacy Matters

Important new guidelines outlining how personal and other types of financial information should be handled by financial institutions throughout the data lifecycle have just come into force in China, including a new data localisation obligation. Level 1: public data.

EU: Binding Corporate Rules are Generating Greater Interest

DLA Piper Privacy Matters

Multinationals increasingly turning to BCRs as providing more legal certainty for personal data transfers from the EU. The EU General Data Protection Regulation (“GDPR”) brought about stricter data protection rules, and increased penalties for breaching these rules. For many multinationals this has led to reconsidering their framework for transferring personal data from the EU to third countries.

Equifax Data Breach: The Long-Term Impact on Fighting Fraud


The massive Equifax data breach that’s making national headlines is estimated to impact nearly half of the U.S. While most of the news centers on the consumer identity theft impact, the real story in the financial services ecosystem is what this hack will cost banks, credit unions and issuers. From what’s been publicly reported, there’s been 209,000 credit card numbers and 182,000 documents with personal information breached.

SEC Announces Settled Charges Against First American for Cybersecurity Disclosure Controls Failures – Lessons Learned

Data Matters

The Order alleges that this vulnerability exposed over 800 million images dating back to 2003, including sensitive personal data, such as Social Security numbers and financial information. On July 21, 2020, the New York State Department of Financial Services (NYDFS) issued a statement of charges and notice of hearing against First American for six violations of the department’s Cybersecurity Requirements for Financial Services Companies.

Risk 64

Ireland: DPC Annual Report 2020: Enforcement & Transfers Dominate Agenda

DLA Piper Privacy Matters

In its second full year overseeing and regulating the GDPR in Ireland, the Data Protection Commission ( DPC ) has published its 2020 Annual Report , highlighting key observations, emerging guidance, and large scale inquiries and decisions of 2020. Financial Services Sector Focus.


List of data breaches and cyber attacks in July 2019 – 2.2 billion records leaked

IT Governance

Department of Health Services email hacked exposing patient data (14,591). Crooks steal Bulgarians personal details and email them to local media (5 million). Pennsylvania-based software firm and healthcare provider accuse each other of data theft (unknown). TX-based Wise Health reports data breach caused by phishing attack (35,899). Hackers breach SyTech, a contractor for Russia’s national intelligence service (unknown). Data breaches.

An ongoing Qbot campaign targeted customers of tens of US banks

Security Affairs

Researchers uncovered an ongoing campaign delivering the Qbot malware to steal credentials from customers of dozens of US financial institutions. Qbot , aka Qakbot , is a data stealer worm with backdoor capabilities that was first detected by Symantec back in 2009.

Data Compliance in a World of Data Privacy Concerns


We live in an age where we have the ability to collect and utilize more data than ever. As the amount of data we’re responsible for increases, so do concerns that we’re handling it properly. Data compliance refers to statutes and regulations that provide accountabilities, processes and operational obligations for the collection, storage, format and use of data. The laws that regulate data compliance vary greatly depending on jurisdiction.

Webinar Invitation — Operationalizing the California Consumer Privacy Act

HL Chronicle of Data Protection

As the first broad-based state law on consumers’ personal data in the U.S., Please join the Hogan Lovells Privacy and Cybersecurity team and LexisNexis on June 19 for the webinar, Operationalizing the California Consumer Privacy Act – Key Decisions and Compliance Strategies. The California Consumer Privacy Act of 2018 (CCPA) has been described as groundbreaking, watershed, and unprecedented since its passage on June 28, 2018.

Data Governance Tools: What Are They? Are They Optional?


Data governance tools used to occupy a niche in an organization’s tech stack, but those days are gone. The rise of data-driven business and the complexities that come with it ushered in a soft mandate for data governance and data governance tools. Data governance refers to the strategic and ongoing efforts by an organization to ensure that data is discoverable and its quality is good. It is also used to make data more easily understood and secure.

Record Retention is a Key Component of Your Privacy and Cyber Compliance Program

Data Protection Report

In 2019, we saw regulators put a renewed focus on how long businesses retain personal information. This sends a clear message that organisations can no longer ignore their obligations relating to data retention. How should businesses change their attitudes towards data retention?

GDPR automated decision-making and profiling: what are the requirements?

IT Governance

In addition to data subjects’ rights to be informed, of access, to rectification, to erasure, to restrict processing, to data portability and to object, the EU’s GDPR (General Data Protection Regulation) sets out requirements relating to automated individual decision-making, including profiling. There are three exceptions to this restriction: If it is necessary to perform a contract between the data subject and a data controller.


The Tension between GDPR and Blockchain: Are they Polar Opposites or Can they Co-exist


One of the most notable blockchain skeptics – David Gerard –argues that if “you were silly enough to put personal data into an append-only ledger which is a proof-of-work blockchain — that’d be flat-out insane.”. The GDPR Regulation provides data subjects with enhanced rights to withdraw consent , access , correct and in some cases erase their personal information. “ While pseudonymization falls within GDPR protection as such data may be re-identified (i.e.

MY TAKE: Identity ‘access’ and ‘governance’ tech converge to meet data protection challenges

The Last Watchdog

Related: Applying ‘zero trust’ to managed security services. Our customers all have the pain point of wanting to have single sign-on for multiple applications, requiring capabilities like self-service and self-registration,” Curcio told Last Watchdog. Yet even as IAM and IGA technologies steadily advanced, enterprises continued to struggle mightily with keeping data secure. And the massive data breaches just keep on coming.

Access 146