Back to main menu
Search
Search
Overlay

Protecting privacy and customer confidentiality 

Managing data privacy

Protecting privacy is vital to retaining trust and growing customer engagement. We aim to address privacy requirements through the application of privacy by design and by default principles within our systems and processes. Everyone in NatWest Group must follow our Privacy and Client Confidentiality (P&CC) policy that sets out how we safeguard the personal data of our customers, colleagues and third parties, including our communities, suppliers and investors. Our policies and procedures also demonstrate our aim to comply with legal and regulatory requirements, including the UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025.

All colleagues and contractors undertake mandatory P&CC training annually. This training is reviewed and updated every year to cover new topics and technologies, emerging risks and any lessons learned from the previous year. Job-specific training is also provided as necessary for colleagues, for example, privacy training to our data and artificial intelligence colleagues.

During 2025, there were a small number of breaches of GDPR and confidentiality (impacting a very small percentage of customers and employees) that we remediated, but there were no material reportable ‘personal data breaches’ under GDPR and no enforcement action by data protection authorities. We endeavour to respond to and remediate privacy complaints as quickly as we can.

Our approach to cyber and information security

NatWest Group’s cybersecurity risk management forms part of NatWest Group’s overall enterprise-wide risk management framework (EWRMF), with management of cybersecurity part of Natwest Group’s wider operational risk management.

NatWest Group has a comprehensive set of layered security defences to protect against new and emerging threats. These are regularly tested by both our in-house security testing team and leading experts in the cybersecurity industry. To ensure we continue to defend against new and emerging threats, we have a series of programmes that develop and improve the deployed defences.

NatWest Group follows a pan-Group approach to Operational Resilience, with Business Continuity being one of the core resilience capabilities. Business Continuity requirements include defining roles and responsibilities, assessing the business impact of disruption to critical processes, defining business recovery strategies / procedures, and testing the effectiveness of continuity plans. Business Continuity plans must be reviewed and tested annually, or sooner if there is a material change. In addition, the Group maintains a documented Incident Management Framework to support the response to high priority incidents, including those that are cyber security related, by providing rapid and agile command, co-ordination and escalation protocols. Incident Management response capability is validated on an annual basis. Incident Management exercises are also undertaken to validate the invocation and adequacy of the Senior Control Groups.

Policies supporting cybersecurity risk management

To support our management of cybersecurity risk, policies are in place that set out the legal, regulatory and business requirements to protect Group information and services. They are reviewed at least annually against industry best practice and are available internally to all colleagues.

Policies are primarily reviewed against the Information Security Forum: Standard of Good Practice (ISF: SOGP) as well as other relevant publications by authorities such as the National Cyber Security Centre (NCSC). They are also aligned to a number of international and industry standards including ISO 27001 and the National Institute of Standards and Technology Cyber Security Framework. Policy benchmarking is completed against the ISF: SOGP to confirm there are no control gaps. Throughout 2025, NatWest Group was certified by the IASME Consortium Ltd (IASME) in Cyber Essentials Plus, a recognised government-owned scheme operated by the National Cyber Security Centre (NCSC).

Oversight, audit and colleague engagement

Board and executive oversight:

The Board and executive management are engaged in our security strategy through regular reporting from the Digital X business, led by  NatWest Group’s Chief Information Officer (CIO) who is the accountable executive for information and cybersecurity. The Group’s Chief Information Security Officer reports into the CIO and  presents an information and cybersecurity update to the Executive Risk Committee and Group Board Risk Committee annually as a minimum. Matters are escalated to the Board as required.

 

Audits:

An external audit is completed on an annual basis as part of NatWest Group’s wider financial audit requirements. Internal audits are completed on an ongoing basis and reported monthly to the Group’s Security Risk Committee.

 

Colleague engagement:

Our internal learning modules provide training and awareness on information and cybersecurity risks that every colleague and contractor must complete annually. These are supported by email communications and further information is also available on our intranet.

Colleagues also receive job-specific training, for example, our Security team attends courses with the Centre for the Protection of National Infrastructure and the NCSC, as well as having opportunities to gain professional qualifications. There are clear escalation routes in place for colleagues to report any cyber or information security concerns. 

Related content

Compliance and conduct

Read more about how we are building a bank that is safe, simple and smart.

Information Message

Consumer protection

Read more about how we are committed to ensuring we empower customers to detect and prevent fraud and scams at first point of contact.

Information Message

Customer complaints

Read more about our approach to resolving customer complaints and how many we received in 2025.

Information Message