GDPR, Anonymization of Customer Data

In accordance with the directives for GDPRClosed The General Data Protection Regulation is a regulation in EU law on data protection and privacy in European Union and European Economic Area., individual customers' data privacy has to be protected. Data Governance is the process that classifies sensitive data and anonymizes it on request for data protection regulations.

NOTE  
Based on our experience, FintechOS selected which information to anonymize. The financial institution can validate or add/remove attributes from the anonymization process within Innovation Studio.

There are two scenarios when the data can be anonymized:

  1. Automatically

    After 5 years (not counting the year of closure) the contractual relationship between a customer and a bank has ended. Certain data is automatically anonymized by the system.

  2. Manually

    Upon user request, the bank can manually select a customer for which the data to be anonymized.

The types of information that are anonymized are username and password and:

Session information and activity within the Online and Mobile Banking solution:

session information
IP
login time
logout time
used functionalities during the session
 

Personal data about their identity and contact information:

FTOS_IB_Users
Name
System User ID
User Name
Name
Middle Name
Last Name
Personal ID Number
Customer ID CoreBanking
Document No.
Email Address
Mobile phone number
Name
Full Name
Name
Middle Name
Last Name
Personal ID Number
Customer ID CoreBanking
Document No.
System User ID
Unique Identifier IB
Email Address
Mobile phone number
Name
System User ID
ClientID
Accounts

SecurityLimitAmount

 

Products, services and transactions including communication between the customer and bank.

Customer
IB user ID
Attachments
Customer
IB user ID
payerFirstName
payerMiddleName
payerLastName
payerAccount
Payer Address
Payer Postcode
beneficiaryName
beneficiaryIBANAccount
paymentReason
name
transactionId
ultimatePayer
ultimatePayerID
ultimateBeneficiary
purposeOfPayment
firstAuthorizerUserID 
secondAuthorizerUserID 
thirdAuthorizerUserID 
fourthAuthorizerUserID 
FTOS_IB_FCYPaymentId
accountNumber
beneficiaryAddress
beneficiaryPostCode
paymentattachments
obligatedPartyPayer 
companyIdObligatedParty 
personIdObligatedParty 
personIdObligatedPartyForeigner 
documentNo 
documentDate 
FTOS_IB_UtilityPaymentContractid
Name
ibUser
customerId
Name
utilityPaymentServiceParentId
Name
utilityPaymentContractid
userXTransactionTypeid
Transaction_ID
paymentDetails
FTOS_IB_TemplatesId
templateFriendlyName
schemaType
currency
visibleAllUsers
payerAccount
beneficiaryName
beneficiaryIBANAccount
paymentAmount
paymentCurrency
paymentReason
paymentType
name
paymentCategory
beneficiaryAddress
detailsOfCharges
settlementDate
obligatedPartyPayer 
companyIdObligatedParty 
personIdObligatedParty 
personIdObligatedPartyForeigner 
budgetTypePayer 
budgetTypeCode 
budgetTypeDescription 
docTypeName - Document Type
docTypeName - Document No
documentDate 
FTOS_IB_BulkFilesId
bulkFileName
Alias
IBAN
availableBalance
Reason for the blocked amount
blockedAmount
Currency
Balance
Loan number
 

The anonymization is done based on a rule. Both requests manually and automatically, anonymize the data that have the status Inactive. Manually, the bank representative searches for the user or customer or automatically, the system anonymizes all the records which meet the rule.

IMPORTANT!  
All the records, which will be anonymized, must be in the Inactive state first before anonymization.

Prerequisites

You need an administrator role to perform this action. Additionally, before creating the request, you need to disassociate the users from the customer. Then, you must inactivate the users.

To inactivate a user, two flows are in place. The maker must:

  1. Open the FintechOS Portal.
  2. Click the button Search Users.
  3. Type a value in one of the columns: User name, first name, last name, mobile phone number, email address, personal ID number, Core Banking Unique Id, System User Id.
  4. Select the user needed for the modification from the grid.
  5. On the page Edit IB User, in the grid Associated Customers, select the customer. The User Client List page is displayed.
  6. In the grid Current Modifications List, select the active user by clicking once on the entry in the grid.
  7. Click Inactive.

    IMPORTANT!  
    You cannot inactivate a user from the grid Active settings (before current modifications). A toast message is displayed. Firstly, click Rest the modifications or Activate & Approve, then turn the user inactive.

    The record is saved automatically. The user is displayed in the grid Current Modifications List with the business status To Be Inactivated.

From here, it is the checker who finishes the inactivation.

The checker must:

  1. Log in the FintechOS Portal with the given credentials.
  2. From the grid Requests sent for Approval, double-click the record with the business status To Be Inactivated. The User Client List opens.
  3. Click the Pick Up button. The page reloads.
  4. Click Approve & Activate. The business status is Inactive.

Creating a Sensitive Request and Approve the Records Manually

The following process is done by a back-office employee from the bank:

  1. Log into FintechOS Portal with the credentials given.
  2. Click the dashboard Settings.
  3. Click the button GDPR Anonymization.
  4. Open the main menu, and select Data Anonymization Requests. The Sensitive Requests List is displayed.
  5. Click Insert.
  6. Fill in the following fields:
    FieldDescription
    Request NoInsert a suggestive number.
    Request DateThe system automatically displays the current date.
    Sensitive Context

    Select one from the list:

    • GDPR Account (affects data from more entities)

      The attributes are CNP, Name, Phone, First Name, Last Name, entityStatusID.

    • GDPR User.
    NOTE  
    Two requests must be made, one with each of the contexts above for the anonymization to be complete.
  7. Click Save and reload. The Request Search Attributes grid is displayed. It is time to choose a customer who has those attributes active.

  8. In the grid, in the column named Search Value, insert the corresponding CNP of the customer you are trying to anonymize.

  9. Click Save and reload. The request was created.
  10. On the top right-hand corner, in the Business Workflow widget, the status is Register. Change the status to Requested by clicking on Choose status, and then on Requested from the drop-down.
  11. The system asks you: Are you sure you want to change the business status?

    Click Yes to continue. The data to be anonymized is populated.

    or

    Click No to stop the process.

  12. Click in the section tab Data Found. The Request Entities grid is displayed, it showcases the customer.
  13. On the top right-hand corner, in the Business Workflow widget, the status is Requested. Change the status to Validated by clicking on Validated.

    If the Rule is approved, then:

  14. The system asks you: Are you sure you want to change the business status?
    • Click Yes to continue. The rule is triggered and the status is Solved.

      or

    • Click No to stop the process.
  15. Click the section tab Data found.
  16. Click on the customer found.
  17. In the page Edit Request Entity, the fields become read-only, and the Request Data Rules grid displays the outcome of the rule in the Message field:
    • success

      It has the status pending approval.

      or

    • fail.
  18. On the top right-hand corner, in the Business Workflow widget, the status is Pending Approval. Change the status to Approved or Rejected by clicking Choose status, and then on Approved from the drop-down if the configuration is as needed.
  19. Click Save and reload. In the Data Found section tab, the Business Status is Anonymized.

  20. If the Rule is Rejected, then:

    The system displays the message: Are you sure you want to change the business status?
    • Click Yes to continue. The rule is triggered and the status is Solved.

      or

    • Click No to stop the process.

    In the page Edit Request Entity, the fields become read-only, and the Request Data Rules grid displays the outcome of the rule:

    • success

      or

    • fail.

      The status is Rule Rejected.

  21. On the top right-hand corner, in the Business Workflow widget, the status is Rule Rejected. Change the status to Approved or Rejected by clicking on Pending Approval, and then on Approved from the drop-down if the configuration is as needed.