General Data Protection Regulation (GDPR). Remember that? It’s hard to believe that nearly five years have passed since our inboxes were flooded with messages from all sorts of organisations asking us to resubscribe to newsletters and to agree to new privacy policies.

As we mark Data Privacy Day on 28 January, it’s good to remind ourselves of what GDPR required organisations that process personal data to do. It’s also a good opportunity to highlight how MeDirect continues to ensure it adheres to the regulation’s responsibilities both towards customers and employees.

Let’s begin by recapping the seven main principles that underpin the GDPR legislation. Briefly, these are that personal data should be:

• processed lawfully, fairly and transparently;
• used for limited purposes;
• kept to a minimum;
• be accurate;
• kept confidential; and
• secure.

In addition to the above, the data controller within any organisation is responsible for, and needs to be able to demonstrate compliance with, the above principles.

The objectives of GDPR are impossible to argue against. In a data driven society, protecting privacy is paramount. Implementation, of course, can always prove more challenging. At MeDirect we continue to focus on a twin track approach of investing in technology and in our human resources to meet our obligations.

As Malta’s first digital bank, much of the personal information we collect on customers is done through our secure website and mobile app. The security of these platforms, and the way in which data collected from them is managed, are a constant focus for our Tech teams.

The input of our legal and compliance departments is also very important to ensure we only collect the information we need to be able to offer customers the financial services they are looking for, while at the same time complying with all other relevant banking regulations. Systems are important but so is teamwork. 

This teamwork across the bank also comes into play when processing the personal data of employees. MeDirect is a large organisation with more than 300 colleagues, spread across multiple locations and with many opting to work remotely. Together with our colleagues in Human Resources, we regularly review both of our technology and procedures to ensure the data held is necessary and safe.

One of the biggest challenges any organisation faces when it comes to protecting personal data is minimising the risks posed by human error.  We all know about emails where the addresses are listed in the ‘To’ field rather than the ‘BCC’ one or about photos posted on social media which reveal personal information.  

Of course, mistakes are always going to happen, but they are more likely to happen when a false sense of security takes hold. That’s why, at MeDirect, we make it a point to conduct regular training and provide periodic reminders to all our employees about the importance of being diligent when handling information about customers or colleagues. We also emphasize the necessity to report any potential breaches in compliance with our regulatory requirements. Marking Data Privacy Day is an important part of this ongoing awareness effort.

GDPR may no longer be in the limelight, but its importance remains undiminished. Continuous training and reviews of systems and technology are necessary but so is encouraging a culture of integrity, transparency and trust across the whole Bank. It is teamwork that really underpins MeDirect’s GDPR compliance.

MeDirect Bank (Malta) plc, company registration number C34125, is licensed to undertake the business of banking in terms of the Banking Act (Cap. 371) and investment services under the Investment Services Act (Cap. 370). MeDirect Bank (Malta) plc is regulated by the Malta Financial Services Authority as a Credit Institution under the Banking Act 1994.