Back to main menu
Search
Search
Overlay

This page will be updated shortly. Please see our 2025 Annual Report and Accounts and our 2025 Climate Transition Plan Report for the latest announcements.

Protecting privacy and customer confidentiality 

Privacy is a vital component of serving our customers and is therefore embedded across NatWest Group and its subsidiaries. NatWest Group has a Privacy and Client Confidentiality (P&CC) policy which sets out our ethical approach to respecting the fundamental data privacy rights of individuals and safeguarding personal data of our customers, employees and any third parties we have engagement with such as our communities, suppliers and our investors. Our responsible practices always address privacy and look to grow trust and customer advocacy. 

Everyone in NatWest Group is required to follow these rules to ensure compliance with relevant legal and regulatory requirements, and role responsibilities. The policy requirements are embedded within our risk processes and are subject to rigorous controls, embedded and assured against the P&CC operating model. The Group’s Chief Data Protection Officer has responsibility for oversight of privacy issues. Our internal audit function undertakes assurance on operational effectiveness of key internal controls, governance and risk management in place to monitor, manage and mitigate key privacy risks.

Privacy by design and default

We drive to embed privacy by design and default. This requires the integration of data protection into processing activities, business practices, products and services from the design stage of a product and through its lifecycle. We have a privacy by design and default project which continues to embed these requirements.

Data Protection Impact Assessments are end-to-end risk assessments of the privacy impacts of a new or changed process, product or project. They are an integral part of data protection by design and default and help us to design more efficient and effective processes for handling personal data.

We expect our third-party suppliers to meet legislative frameworks, including privacy legislation. Each year, we actively engage with our suppliers to understand the privacy governance arrangements they have in place (including policy, mandatory procedures, training and awareness) and review the responses to ensure that satisfactory controls exist.

Transparency

NatWest Group has adopted a layered and accessible approach which follows regulator guidance to provide information about how we use our customers’ and colleagues’ data in the privacy notices on our websites. Privacy notices are aligned to each part of our business and can be found on our website. Links to some privacy notices are provided below:

Privacy notices are subject to regular review to ensure they remain up to date and accessible to users across all digital platforms. 

Data transfers and collaboration

We continually refine our systems to comply with GDPR, the UK Data Protection Act and other local privacy legislation. We factor in the impact of UK and European case law, the UK Artificial Intelligence (AI) regulatory framework, and the EU AI Act on our privacy obligations and cross border data flows. Our privacy teams are in regular contact with other internal teams to assist with initiatives such as supporting victims of financial crime and meeting our Consumer Duty obligations. 

Privacy and confidentiality training

All colleagues and contractors are required to undertake annual mandatory privacy and client confidentiality training. Training topics include:

  • Our privacy and client confidentiality obligations.
  • Privacy considerations for new projects and systems.
  • How colleagues can recognise and respond to requests from individuals to exercise their data rights.
  • What to do in the event of a data breach.

The privacy and client confidentiality training module is updated annually with new topics and learnings from the previous year. Job-specific training is also provided as necessary for colleagues, for example training on Artificial Intelligence for the benefit of our privacy colleagues. Our privacy specialists are also required to complete privacy qualifications to undertake their role.

Our colleagues responsible for a privacy breach may be subject to disciplinary action under our Disciplinary Policy where appropriate. We review each breach on its facts and look to foster a culture where individuals are encouraged to report, understand the serious consequences of a data breach, and actively learn from their errors and improve their day to day working practices. 

Regulator communications and data subject rights

NatWest Group has specialist teams who respond to queries relating to data subject rights. In addition, we engage with relevant regulators and industry bodies as appropriate. 

Our approach to cyber and information security

NatWest Group’s cybersecurity risk management forms part of NatWest Group’s overall enterprise-wide risk management framework (EWRMF), with management of cybersecurity part of Natwest Group’s wider operational risk management.

NatWest Group has a comprehensive set of layered security defences to protect against new and emerging threats. These are tested at least annually by both our in-house security testing team and leading experts in the cybersecurity industry. To ensure we continue to defend against new and emerging threats, we have a series of programmes that develop and improve the deployed defences.

NatWest Group follows a pan-Group approach to Operational Resilience, with Business Continuity being one of the core resilience capabilities. Business Continuity requirements include defining roles and responsibilities, assessing the business impact of disruption to critical processes, defining business recovery strategies / procedures, and testing the effectiveness of continuity plans. Business Continuity plans must be reviewed and tested annually, or sooner if there is a material change. In addition, the Group maintains a documented Incident Management Framework to support the response to high priority incidents, including those that are cyber security related, by providing rapid and agile command, co-ordination and escalation protocols. Incident Management response capability is validated on an annual basis. Incident Management exercises are also undertaken to validate the invocation and adequacy of the Senior Control Groups.

Policies supporting cybersecurity risk management

To support our management of cybersecurity risk, policies are in place that set out the legal, regulatory and business requirements to protect Group information and services. They are reviewed at least annually against industry best practice and are available internally to all colleagues.

Policies are primarily reviewed against the Information Security Forum: Standard of Good Practice (ISF: SOGP) as well as other relevant publications by authorities such as the National Cyber Security Centre (NCSC). They are also aligned to a number of international and industry standards including ISO 27001 and the National Institute of Standards and Technology Cyber Security Framework. Policy benchmarking is completed against the ISF: SOGP to confirm there are no control gaps. In addition, NatWest Group is certified by the IASME Consortium Ltd (IASME) in Cyber Essentials Plus, a recognised Government-owned scheme operated by the NCSC.

Oversight, audit and colleague engagement

Board and executive oversight:

The Board and executive management are engaged in our security strategy through regular reporting from the Digital X business, led by  NatWest Group’s Chief Information Officer (CIO) who is the accountable executive for information and cybersecurity. The Group’s Chief Information Security Officer reports into the CIO and  presents an information and cybersecurity update to the Executive Risk Committee and Group Board Risk Committee annually as a minimum. Matters are escalated to the Board as required.

 

Audits:

An external audit is completed on an annual basis as part of NatWest Group’s wider financial audit requirements. Internal audits are completed on an ongoing basis and reported monthly to the Group’s Security Risk Committee.

 

Colleague engagement:

Our internal learning modules provide training and awareness on information and cybersecurity risks that every colleague and contractor must complete annually. These are supported by email communications and further information is also available on our intranet.

Colleagues also receive job-specific training, for example, our Security team attends courses with the Centre for the Protection of National Infrastructure and the NCSC, as well as having opportunities to gain professional qualifications. There are clear escalation routes in place for colleagues to report any cyber or information security concerns. 

Related content

Compliance and conduct

Read more about how we are building a bank that is safe, simple and smart.

Information Message

Consumer protection

Read more about how we are committed to ensuring we empower customers to detect and prevent fraud and scams at first point of contact.

Information Message

Customer complaints

Read more about our approach to resolving customer complaints and how many we received in 2023.

Information Message