Protecting privacy and customer confidentiality

Our customers place their trust in us – not only with their finances, but also with their personal information and data. To this end, accountability for privacy and data protection ultimately lies with the Board, with a Group Data Protection Officer (DPO) overseeing awareness, training and reporting to the UK Information Commissioner’s Office, supported by additional country DPOs. We see privacy as a vital component to achieving our Purpose to champion potential, helping people, families and businesses to thrive.

Whilst we have a central privacy team to oversee privacy compliance we also ensure that we have privacy embedded across all parts of our business. Therefore all business areas have an Accountable Executive responsible for privacy compliance in their business, who are supported by local privacy teams who are subject matter experts.

Our Privacy and Client Confidentiality Policy is wider than covering privacy alone. The policy covers both data protection and client confidentiality, therefore all our customers, employees and third parties who we interact with can be confident that we have protection of their data at heart because they are protected regardless of their formation; whether they are individuals, sole traders, partnerships or incorporated companies. The policy has a defined escalation process for privacy and client confidentiality issues. The Privacy and Client Confidentiality Policy sets out how we manage privacy and client confidentiality breaches and personal data breaches and specifies that anyone breaching the policy can be subject to disciplinary action.

NatWest Group provides updates to senior management on privacy and client confidentiality including at board level and in particular to the Board Risk Committee. Updates and reminders are also provided through internal employee communications. This ensures that privacy is at the forefront of all of our colleagues’ minds, and that there is appropriate visibility across the bank at all levels from senior executives right through to branch colleagues.

NatWest Group has adopted a layered and accessible approach to providing privacy information, as recommended by the UK Information Commissioner. We present an overview of our approach to Data Protection & Privacy on our website; any visitor to our digital platforms can select to proceed to a page containing more detailed information. We ensure that our privacy information pages are constantly reviewed to ensure they are up to date and accessible to our customers and visitors to our various digital platforms.

We are striving to improve the way in which customers can provide their marketing preferences to ensure they receive marketing information in line with their wishes. We’re continually refining our systems to comply with the General Data Protection Regulation (GDPR), the UK Data Protection Act and other local legislation. We factored in the impact of Brexit and UK & European case law on our privacy obligations and cross-border data flows. In addition to this, we have a close relationship with regulators and industry bodies as appropriate. Our privacy teams are in regular contact with our financial crime and fraud teams to assist with queries and new initiatives to help victims of financial crime.

All colleagues and contractors are required to undertake annual mandatory privacy and client confidentiality training. Each year, we also engage with our suppliers to understand the privacy governance arrangements they have in place, including policy, mandatory procedures and training and awareness.

Topics include:

  • What the bank’s privacy & client confidentiality obligations are.
  • Privacy considerations for new projects, systems, etc.
  • How colleagues should recognise & respond to requests from individuals to exercise their data rights.
  • What to do in the event of a breach.

The training module is updated annually, with new topics and learnings from the previous year. Job specific training is provided as necessary for colleagues based upon their job roles. The bank uses internal checklists intended to guide the best decision making, and the safe use, storage and sharing of information, which include the YES Check and Info SAFE checklists.

Info SAFE is used to support our Artificial Intelligence and Machine Learning strategy via Fairness Assessments of models, in addition to the checklist questions below which are relevant for all colleagues across the bank when they deal with customers’ or colleagues’ data. The Info SAFE checklist asks the following questions:

Secure: Are you confident that the bank and its suppliers are meeting the required policies and standards for protecting our customers’ and colleagues’ information?

Accountable: Am I confident that I understand my responsibilities when using customers’ and colleagues’ information to make decisions?

Fair: Are decisions made using customers’ and colleagues’ information, accurate, just and reasonable, including those decisions made using Artificial Intelligence?

Ethical: Are decisions made using colleagues’ and customers’ information reflective of our core values, inclusion and pro-diversity?

New data driven innovations bring new opportunities to build systems using fundamental privacy principles such as Privacy by Design and Default. The privacy teams work closely together to ensure fundamental privacy concepts are implemented and to ensure consistency across the bank. The teams work hard on Privacy Impact Assessments to ensure that privacy risks are identified and minimised early.

Regulator communications and data subject rights

NatWest Group has specialist teams who respond to queries relating to data subject rights. Data subject access requests have remained relatively steady following the GDPR coming into force in May 2018, with a low volume of other data subject requests concerning, for example, objection to processing, erasure and data portability since 25 May 2018. The number of information requests relating to Payment Protection Insurance tailed off in 2020, following the deadline of August 2019.