FAQs About Privacy and Data Protection
Rules are changing around the world, in particular with updated data protection requirements in The Bahamas and The Cayman Islands. Proven Bank wants to ensure that we comply fully with global expectations, as well as the requirements of the legislation and regulations in the jurisdictions in which we operate and the countries where our customers are based. These new laws introduce significant fines for breaches of data privacy.
Proven Bank has opted to adhere to the higher standards arising for the various legislative changes occurring in the locations in which we operate; likely to be equivalent to GDPR in most instances.
Q. WHAT IS GDPR?
A. General Data Protection Regulation (“GDPR”) which came into effect in the European Union on 25 May, 2018.
Q. WHAT IS PERSONAL INFORMATION (“PI”)?
A. PI is defined broadly and includes and comprises data in relation to any living individual who can be identified from that data, and PI includes:
- names;
- addresses;
- social security numbers or local equivalent;
- telephone numbers and e-mail addresses; and
- health and financial information.
Q. WHAT IS THE AIM OF HAVING DATA PROTECTION LAWS?
A. The aim of this legislation is to ensure there are good information handling practices in place. For example, identity theft, stolen credit cards and violated privacy policies may result in fraud, theft and deception. Abuse of health data, financial data or children’s data can have an adverse impact on insurance, credit, jobs or parental control.
Q. WHAT IS PROVEN BANK DOING TO ADHERE TO THESE NEW REQUIREMENTS?
A. We have done the following:
- appointed a Chief Data Protection Officer (“CDPO”);
- appointed Local Information Officers (“LIO”) in each jurisdiction and for each subsidiary;
- published an internal policy to assist our staff;
- created a privacy statement which is included our website;
- continue to ensure third parties we deal with and to whom we pass information uphold our data protection standards; and
- adjusted, where necessary, our terms and conditions for clients to properly reflect new requirements.
Q. WHAT’S THE ROLE OF THE CHIEF DATA PROTECTION OFFICER (“CDPO”)?
A. The CDPO will provide the knowledge, expertise, day-to-day commitment and independence to properly advise the Group of its duties and conduct compliance activities in relation to the GDPR and applicable data protection requirements. He or she will be supported in his or her work by Local Information Officers, as well as being supported by our Risk and Compliance personnel. The CDPO will be responsible for ensuring timely notification to the Executive Committee and to the Board of material breaches and ensuring prompt liaison regulators, including the parent regulator (The Central Bank of The Bahamas).
Q. WHAT’S THE ROLE OF A LOCAL INFORMATION OFFICER (“LIO”)?
A. The LIO will have responsibility for a specific jurisdiction or subsidiary with accountability to ensure that local management, the local board(s) and the CDPO are made aware of any issues arising. They will be required to handle local reporting to regulators of breaches (in conjunction with local management and Compliance as required,) as well as ensuring material breaches are escalated promptly to the CDPO for timely notification to Excom, the Board and the parent regulator.
Q. WHAT IS A BREACH?
A. There are a variety of breaches that can occur, from sending one client’s information (or certain information) to a wrong address, to not ensuring client data is protected from an IT or cyber security perspective, to not seeking client consent to process their data appropriately, etc. Whilst the CDPO, assisted by the LIO, will be primarily responsible for breach reporting, all of our employees are directed to be vigilant and draw potential breaches to the attention of the LIO as soon as possible. Where appropriate, impacted clients will also be promptly notified.
Q. CAN I ASK WHAT INFORMATION PROVEN BANK HOLDS ON FILE/IN ITS SYSTEMS ABOUT ME?
A. Yes. You may make a Subject Data Access Request for a copy of data held we hold about you. All such requests must go through the LIO in the first instance. There is certain data held by Proven Bank in compliance with our regulatory obligations for Anti-Money Laundering and Anti-Terrorist Financing (together “Financial Crime”) which does not need to be disclosed to clients, nor may it be destroyed.
Q. CAN I ASK FOR MY PERSONAL DATA TO BE REMOVED?
A. Yes. Clients are permitted to ask for data to be erased, subject to any local laws that require certain datato be retained. Any request for data to be erased must be provided to the LIO in the first instance who will liaise as required. Should data be erased, the LIO will ensure a formal notification of confirmation is provided to you.
Q. WILL YOU SHARE MY DATA WITH ANYONE ELSE?
A. We have put in place appropriate inter-Group data transfer agreements to allow for certain data to be shared among Proven Bank entities. This will be for the purposes of ensuring customers receive the correct product or service from Proven Bank.
Q. WHO CAN I CONTACT IF I HAVE A QUESTION ABOUT MY DATA?
A. Please see our Privacy Statement for contact information.