privacy in banking sector

1. DATA PRIVACY IN BANKING SECTOR
ENG. ALA’ ZAYADEEN
INFORMATION SECURITY MANAGER / JORDAN AHLI BANK

2. AGENDA
• INTRODUCTION
• EMERGING DATA PRIVACY TRENDS IN
FACING VOLVING THREATS.
• DESIGNING DATA PRIVACY (BEST
PRACTICES)

3. PART 1
Introduction

4. INTRODUCTION
•THINK ABOUT ALL THE DATA USERS GIVE TO GOOGLE, FACEBOOK, APPLE,
TWITTER, AMAZON AND MICROSOFT. GIVEN THAT SO MUCH DATA ARE
ALREADY BEING COLLECTED ABOUT CONSUMERS DAILY LIVES—FROM DATA
USERS VOLUNTARILY PROVIDE VIA APPS AND ORGANIZATIONS TO DATA
OBTAINED THROUGH SURVEILLANCE, ALL TOO OFTEN WITHOUT EVEN
KNOWING IT—SHOULD USERS BE LOOKING FOR DIFFERENT WAYS OF
THINKING ABOUT PRIVACY?
https://myaccount.google.com/dashboard?pli=1

5. INTRODUCTION
1. What is Data Privacy ?
2. What is Data Security ?
3. Data Privacy Vs. Security
Rights of an individual to trust that others will appropriately and respectfully collect, use, store, share and
dispose of his/her associated personal and sensitive information within the context, and according to the
purposes, for which it was collected or derived. What is appropriate depends on the associated
circumstances, laws and the individual’s reasonable expectations. An individual also has the right to
reasonably control and be aware of the collection, use and disclosure of his/her associated personal and
sensitive information

6. WHAT IS THE DIFFERENCE ?
DATA PRIVACY
 IS CONCERNED WITH THE PROPER HANDLING OF
DATA AND QUESTIONS RELATED TO THE COLLECTION,
STORAGE, AND SHARE OF DATA
 WHO’S ALLOWED ACCESS TO CONSUMER INFORMATION
Data Security
protecting data from any unauthorized third-party
access or malicious attacks and exploitation of data
Privacy, in general, is an individual’s right to freedom
from intrusion and prying eyes or the right of the person to
be left alone

7. Data breaches can be caused by a lack of security measures. To properly protect data and
comply with data protection laws you need to implement both Data Privacy and Data Security
strategies
In this (oversimplified) example the window is
a security control, while the curtain is privacy
control
Data security and data privacy often go
hand-in-hand
Excercise
So, if you are using Google Gmail account, your
password would be a method of data ………..,
while the way Google uses your data to
administer your account, would be data
……………..

8. Data protection is essentially amalgamated security and privacy.
Enhanced personal data protection involves greater data security and a higher level of data privacy.

9. https://dataprivacymanager.net/top-data-breach/?hsCtaTracking=44413ff6-67d0-4637-83c7-
82a02ca92d63%7C8ee5da92-9b21-4f8e-87c5-becf7cd51b9b
TOP 5 2019 DATA
BREACHES
1. Facebook Data Breach (half a
billion)
2. Fortnite Data Breach (80 million)
3. Microsoft Data Breach
4. Canva Data Breach
5. Coinmama Data Breach

10. PRIVACY VIOLATION EXAMPLES
1
0
Mother Horrified to Learn Hackers Put
Live Feed of Daughters' Bedroom Online

11. GDPR FINES
https://www.privacyaffairs.com/gdpr-fines/

12. PART 2
Emerging Global Data
Privacy Trends

13. CHALLENGE
The banking industry is one of the primary data
breach targets due to the perceived value of the
underlying data
Emerging growth opportunities and the rapid
adoption of digital technology. Increasingly :
Banks need to be flexible in sharing customer data,
and it is therefore critical that they achieve a
balance between how flexible data sharing can be
while also maintaining its privacy…
credit card and financial information’ are the most
private types of data, globally.

14. IMPORTANT TERMINOLOGY
DATASUBJECT
An individual who is the subject of the information or
data.
DATACONTROLLER
A person, company or organisation who determines
the purposes and means of processing personal data
DATAPROCESSOR
A person, company or organisation who processes
personal data on behalf of the controller
1
4

15. DATA PRIVACY TRENDS
1
5
DATA BREACH EVOLUTION
 GROWING DATA BREACH
RISKS, MALICIOUS INSIDERS
AND CYBER ATTACKS.
 GROWING THREAT OF
FINANCIAL MALWARES.
 BREACHES DUE TO
UNINTENTIONAL USER
MISTAKES
REGULATORY EVOLUTION
 INCREASED REGULATORY
FOCUS.
 HARMONIZATION OF DATA
PROTECTION STANDARDS
ACROSS REGIONS.
TECHNOLOGY ADOPTION
 SIMPLIFYING DATA PROTECTION
AND CONTROLLING COSTS.
 INCREASING USE OF IDENTITY
AND ACCESS MANAGEMENT
SOLUTION.
 USING SMARTPHONES FOR
SECURITY ( ALERTS, OTP , ETC.)

16. DATA PRIVACY TRENDS
1- PRIVACY WILL BECOME A BIGGER FOCUS IN EXECUTIVE-LEVEL AND BOARDROOM DISCUSSIONS
2- MORE COMPANIES WILL MOVE TO A SINGLE ENTERPRISE-WIDE PRIVACY STRATEGY
3- PRIVACY AND CYBERSECURITY FUNCTIONS WILL BECOME MORE INTEGRATED
4- THIRD-PARTY RISK MANAGEMENT WILL CONTINUE TO BE A MAJOR FOCUS NEW ROLES AND SHIFT
IN RESPONSIBILITY
5- PRIVACY WILL BECOME A BUSINESS DIFFERENTIATOR

17. PART 3
esigning Data Privacy

18. DATA PRIVACY FRAMEWORK

19. DATA
PRIVACY
ACTIVITIES
• DEFINE AND IMPLEMENT A DATA PRIVACY PROGRAM.
• RE-DEFINE DATA GOVERNANCE POLICY FRAMEWORK, DATA
PRINCIPLES AND INTEGRATE THEM WITHIN EXISTING FUNCTIONS.
• RE-DEFINE REPORTING NEEDS FOR REQUISITE SENIOR
MANAGEMENT FOCUS.
• APPOINT DATA PROTECTION OFFICERS
• DESIGN AND DEVELOP PRIVACY IMPACT ASSESSMENTS.
• REVIEW AND UPDATE PARTNER AGREEMENTS FOR DATA PRIVACY
CLAUSES.
• DEFINE AND REVIEW SUPPLIER RELATIONSHIPS.
• CREATE AWARENESS ACROSS FUNCTIONS WITHIN THE
ENTERPRISE.
• DEVELOP AND ROLL OUT A ROLE-BASED INDUCTION PROGRAM.
• CONDUCT PRIVACY ASSESSMENTS REGULARLY AND AS AND
WHEN NEW PRODUCTS /PROCESSES ARE LAUNCHED.
Governance

20. DATA
PRIVACY
ACTIVITIES
• DEFINE TEMPLATES FOR DATA PRIVACY NOTICES.
• DEFINE PROCESSES FOR RECORDING CONSENT,
WITHDRAWAL OF CONSENT, CORRECTION OF STORED
DATA, DATA ERASURE AND PORTABILITY.
• DEFINE A POLICY FOR RETENTION AND DISPOSAL OF
DATA.
• INTEGRATE SECURITY SOLUTIONS WITH REGULAR
OPERATIONS.
• ESTABLISH DATA AUDIT TRAILS.
• MAINTAIN SYSTEM ACTIVITY REPORT LOGS, TEMPLATES,
RESPONSE RECORDS OF DATA SUBJECTS. • MAINTAIN
DATA SHARING LOGS, POLICIES, PROTOCOLS AND
DISCLOSURES.
Operations

21. DATA
PRIVACY
ACTIVITIES
• ASSESS IT SYSTEMS’ DATA PRIVACY ARCHITECTURES FOR
NEW REQUIREMENTS SUCH AS CONSENT MANAGEMENT,
DATA PRIVACY NOTICES, DATA ERASURE, PORTABILITY
AND BREACH NOTIFICATIONS.
• REMEDIATE AND RE-DESIGN APPLICATIONS TO ENABLE
PREVENTION CONTROLLED ACCESS AND DATA
MINIMIZATION.
• DEFINE ACCESS CONTROL POINTS.
• IMPLEMENT AUTOMATED COMPLIANCE CONTROLS.
• MAINTAIN INCIDENT LOGS.
• CONDUCT REGULAR COMPLIANCE, AUDIT AND
VULNERABILITY TESTS.
Information Systems

22. PRIVACY BY DESIGN
•PRIVACY BY DESIGN PRIVACY BY DESIGN REQUIRES THAT THE
ACTIONS AN ENTERPRISE PERFORMS WITH RESPECT TO PERSONAL
DATA BE CONDUCTED IN THE CONTEXT OF DATA PROTECTION AND
PRIVACY RIGHTS FROM THE OUTSET OF AN INITIATIVE, OR SIMPLY PUT,
THAT PRIVACY IS INTEGRATED INTO THE ENTIRE ENGINEERING
PROCESS.
•PRIVACY BY DEFAULT REQUIRES THAT ENTERPRISE LEADERSHIP SET A
STANDARD FOR PROTECTING DATA THAT GOES BEYOND MERE
COMPLIANCE REQUIREMENTS. ENTERPRISES THAT STRIVE FOR
PERSONAL DATA SECURITY BY DESIGN, AND ENABLE PRIVACY BY
DEFAULT, CREATE A SOLID BASIS FOR THEIR CUSTOMERS/CLIENTS AND
STAKEHOLDERS TO TRUST THAT THEIR PERSONAL DATA ARE IN GOOD
HANDS AND PROTECTED, A REWARDING OUTCOME FOR THE
ORGANIZATION
Third-Party Risk Management

23. WHAT
SHOULD
PRIVACY
POLICY
INCLUDE?
23

24. HOW TO PROTECT YOUR PRIVACY ON SOCIAL MEDIA
https://dataprivacymanager.net/how-to-protect-your-privacy-on-social-media/

26. 26

27. ‫الشخصية‬ ‫البيانات‬ ‫حماية‬ ‫قانون‬
2
7
‫الشخصية‬ ‫البيانات‬ ‫حماية‬ ‫مجلس‬
‫الشخصية‬ ‫البيانات‬ ‫حماية‬ ‫وحدة‬
‫الشخصية‬ ‫البيانات‬ ‫حماية‬ ‫مراقب‬
‫المعالجة‬ ‫وأمان‬ ‫سرية‬
‫المملكة‬ ‫داخل‬ ‫للبيانات‬ ‫اإللكتروني‬ ‫والتبادل‬ ‫النقل‬ ‫أحكام‬
‫المملكة‬ ‫خارج‬ ‫الى‬ ‫الشخصية‬ ‫البيانات‬ ‫نقل‬
‫العقوبات‬