Protecting privacy and customer confidentiality 

We see privacy as a vital component of serving our customers and it is therefore embedded across all parts of our business. NatWest Group has a Privacy and Client Confidentiality (P&CC) policy which sets out the rules everyone is expected to follow to ensure compliance with relevant legal and regulatory requirements, and role responsibilities. The policy requirements are embedded within our risk processes and are subject to rigorous controls, embedded and assured against the P&CC operating model. 

During 2023, while there have been a small number of breaches of GDPR and the duty of confidentiality (impacting a very small percentage of customers/employees) that we have sought to remediate, there have been no material reportable ‘personal data breaches’ under GDPR and no enforcement action by data protection authorities.


NatWest Group has adopted a layered and accessible approach to providing information about how we use our customers’ and colleagues’ data in the privacy notices on our websites. This information is subject to regular review to ensure it remains up to date and accessible to users across all digital platforms. 

Data transfers and collaboration

We continually refine our systems to comply with GDPR, the UK Data Protection Act and other local legislation. During 2023, we factored in the impact of UK and European case law, the progress of the Data Protection and Digital Information Bill and the Indian Digital Personal Data Protection Act 2023 on our privacy obligations and cross-border data flows. Our privacy teams are in regular contact with other internal teams to assist with initiatives such as supporting victims of financial crime and meeting our Consumer Duty obligations.

Privacy and confidentiality training

All colleagues and contractors are required to undertake annual mandatory privacy and client confidentiality training. Each year, we also engage with our suppliers to understand the privacy governance arrangements they have in place (including policy, mandatory procedures, training and awareness) and review the responses to ensure that satisfactory controls exist. Training topics include:

  • our privacy and client confidentiality obligations
  • privacy considerations for new projects and systems
  • how colleagues can recognise and respond to requests from individuals to exercise their data rights
  • what to do in the event of a breach

For more information on privacy and confidentiality training, see page 33 of our 2023 ESG Disclosures Report

Ethical use of AI and data

We aim to help customers thrive as a data-driven, artificial intelligence (AI) powered relationship bank connected with a digital world. We use sophisticated analytics to help understand our customers’ circumstances, so we can better support them.

For more information on ethical use of AI and data, see page 32 of our 2023 ESG Disclosures Report

Privacy by design and default

We aim to embed privacy by design and default. This requires the integration of data protection into processing activities, business practices, products and services from the design stage of a product and through its lifecycle. We have set up a privacy by design and default project which continues to embed these requirements. Data Protection Impact Assessments are an integral part of data protection by design and default. These assessments help us to design more efficient and effective processes for handling personal data.

Regulator communications and data subject rights

NatWest Group has specialist teams who respond to queries relating to data subject rights. In addition, we have a close relationship with relevant regulators and industry bodies as appropriate.

For more details, see our 2023 ESG Disclosures Report

Related content

Read more about how we are building a bank that is safe, simple and smart.

Information Message

Read more about how we are committed to ensuring we empower customers to detect and prevent fraud and scams at first point of contact.

Information Message

Read more about our approach to resolving customer complaints and how many we received in 2023.

Information Message