Marketing and personal data protection
Responsible marketing of products and services
Good banking requires SpareBank 1 SMN to inform the customer how best to relate to the financial products that are available. To that end the bank proactively presents important themes related to responsible marketing of the bank’s products.
SpareBank 1 SMN’s strategy is to illuminate challenges related to marketing. This sparks useful discussions and contributes to improvements. A pertinent example is the bank’s work on good advice on the use of personal credit and responsible lending practices, for which the bank received the Consumer Council’s acknowledgement in 2016.
SpareBank 1 SMN’s products and services, and labelling and marketing material, are developed at central level in the SpareBank 1 Alliance. The savings and investment committee in the Alliance conducts a quality assessment of labelling and marketing for the bank. The bank’s Markets division has overall responsibility for responsible marketing. The bank has a complaints arrangement readily available to its customers online, via a dedicated telephone number and to the Financial Services Complaints Board. The bank has not received complaints regarding its labelling of products and services. In 2018 the bank noted one breach of personal data security in connection with the marketing of an event. (GRI 417-2)
Before products are launched or distributed by the bank, they are subject to a wide-ranging assessment of their impact on the product’s target group. The bank carries out a systematic risk assessment in which it obtains independent assessments related to law, ethics and the intelligibility of the product to the target group.
Personal data protection and information security
The bank is dependent on the confidence and trust of its customers, the supervisory authorities, shareholders and other stakeholders. The bank manages large quantities of customer data via its services. This imposes major requirements on the bank’s handling of customer information and compliance with key principles of personal data protection.
A new Personal Data Act that implements the General Data Protection Regulation (GDPR) entered into force on 20 July 2018. Work on complying with the personal data rules has continued into 2019. The bank has developed templates to support implementation of the requirements of the Personal Data Act. A separate template for data protection impact assessments (DPIAs) has been prepared by the SpareBank 1 Alliance. A new data protection declaration was published on the bank’s website in 2018.
The bank worked on digitalisation measures in 2018. While acknowledging the need to digitalise and simplify more services, it considers it imperative to protect personal data and ensure information security.
The bank reported seven breaches personal data security to the Data Protection Authority in 2018. The mission for 2019 is to continue the training initiative, establish good deletion procedures and continue the process of incorporating personal data protection into our systems.
The bank manages large quantities of customer information. In the bank’s view, personal data protection is about securing the necessary confidentiality, integrity and accessibility of all personal data that are owned, processed or managed by the bank. The quantity of information and the possibilities for its use and misuse are growing apace. The trust that we as a bank are dependent on – from customers, supervisory authorities and other stakeholders – will to an ever increasing degree rest on our secure management of customer data. We have accordingly described the bank’s commitments in detail and made them available to the bank’s stakeholders here: https://www.sparebank1.no/en/smn/about-us/privacy-policy.html
Further, the bank has a specific policy and overarching guidelines for personal data protection. The guidelines help the bank to comply with requirements on treatment of personal data, both in the current personal data legislation, but also in the EU’s new General Data Protection Regulation (GDPR) which enters into force in May 2018. The guidelines describe how the bank’s treatment of personal data, roles and responsibilities in the field of personal data protection and how necessary documentation is made available and updated.
The bank completed phase two in the Personal Data Act project in 2017. The project improved compliance with statutory requirements. Through the project the bank established clearer descriptions of roles and responsibilities. In addition the bank put in place a more robust internal control system featuring exceptions handling and control and follow-up activities enabling us to improve our management system over time.
The bank has appointed a personal data officer to assist the Group CEO in matters of compliance with requirements on treatment of personal data. The personal data officer acts as a specialist adviser, and has responsibilities related inter alia to oversight of compliance, handling of exceptions, risk assessment and reporting to the Data Protection Authority any unauthorised release of personal data.
The bank reported one breach of the requirements regarding treatment of personal data to the Data Protection Authority in 2018. In addition the bank reported one case of outsourcing to cloud computing to Finanstilsynet (Norway’s Financial Supervisory Authority). The bank has received no complaints of personal data breaches. (GRI 418-1)
Training was given at various levels of the organisation in 2018, both electronically and in the classroom. We will continue the work on closing identified gaps and to secure involvement, responsibility assignment and training across the organisation. In addition preparations continue for the introduction of the General Data Protection Regulation both in the bank and in the SpareBank 1 Alliance. The subsidiaries are also carrying through personal data projects in 2018.
Developing a security architecture and solutions geared to a more open business model is a challenge facing the entire financial industry. SpareBank 1 SMN accordingly participates in the Alliance’s shared security strategy effort in order to address and handle the changes this development entails.
Financial industry developments combined with accelerating technological development poses new threats and security challenges. SpareBank 1 SMN is concerned with security, high operational continuity and reliable services for the customer. Action has been taken to strengthen capacity, robustness and further development in selected areas, in particular in information security as regards open banking, and coordination and securing of cloud services.
The SpareBank 1 Alliance’s Information Security Policy is the basic steering document for all processing of information in the SpareBank 1 Alliance, and builds on the Alliance’s overall security policy. The bank has a separate policy for the outsourcing of IT services as well as a joint security strategy that covers the entire alliance. Important decisions such as outsourcing are also considered by the board. The department for operative information security in the SpareBank 1 Alliance delivers SpareBank 1 SMN’s technical solutions, including continuous monitoring of the bank’s systems.
The ICT Regulations guide much of the work on information security and follow-up of the ICT area. SpareBank 1 SMN’s internal and external audit functions both regularly review matters regulated by the ICT Regulations.
SpareBank 1 SMN has established a number of technical security measures with regard to information security, where training and raising of awareness are at centre stage. The bank’s competence and attitude-moulding programme for information security, Passopp, designed to strengthen the security culture across the entire organisation, was in progress in 2018 and continues in 2019. Based on internal surveys, the bank conducts analyses and prioritises focal areas for the attitude-moulding programme.
The bank wishes to play its part in promoting safe and secure customer behaviour and in familiarising customers with information security. The website, smn.no, offers tips and advice on secure use of the bank.