Recognizing Privacy Gaps and Risks in FinTech

March is FinTech Privacy Month

To kick-off the FinTech month, it is worth mentioning that organizations in this sector collect a lot of personal information related to the service and products they provide. This dependency on data is positioning them in the most-at-risk part of the MPC Privacy Quadrant:

These organizations are typically also regulated by Financial Authorities with obligations to provide evidence of a strong cybersecurity program and data protection compliance on demand. They depend on a supply chain which increases and diversifies their technology related risk portfolio. Insurance companies and financial institutions are not immune to cyber attack pressures either and it is believed that aggressive and sophisticated attacks will proliferate both in frequency and complexity over the next decade[1].

FinTech companies big and small face the ever-growing pressures of protecting critical information against fraud, unauthorized access, and phishing attacks.

The need for privacy and maintaining security of personal information remains critical for Canadians, especially during the pandemic when more products and services than ever before, such as submitting loan applications, making payments and processing insurance claims, are offered online.  

What FinTechs should learn from the many breaches and regulatory enforcement actions, to maintain their business operations in the “privacy safe zone”:

  • No business model justifies collecting more information from individuals without valid consent or legally justified business reason
  • Consumers care, so creating win-win situations where consumers want the products or services offered because of their business and privacy value is the way to go
  • Over-retention of personal information is a no-no. Just because the business “feels” they may need that information later on erodes consumer trust and is against privacy laws. There needs to be an active relationship with a customer and the retention needs to fall within the legal limits

Personal information shall be retained only for as long as needed to fulfill the purposes for which it was collected. Two exceptions to this requirement are (i) if the individual consents to a longer retention period, or (ii) if longer retention is required by law.  Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous[2]

  • Organizations that fail to report a breach may be fined up to $100,000[1]. With so many information-rich repositories, it is no wonder FinTechs are premier targets for cyber-attaches and ransomware
  • Annual simulations and testing of incident/breach management procedure should be top of mind. Having an incident/breach management procedure is no longer sufficient if it is not tested
  • Data inventories and data flows mapping are critical for these organization. Knowing with whom they share information avoids unlawful disclosures and the potential exposure to breaches down-stream in the supply chain
  • Privacy by Design and Security by Design should be non-negotiable for business processes where personal information collection and/or processing occurs
  • Big Data is no longer big news: it’s happening. FinTechs need to be prepared and have proper risk assessment processes for uses of data as they expand their business models
  • Understand technology functionality through a privacy lens – a must for assessing the potential privacy risks and harms. The dependency on digital supply chains will only continue to grow.
  • Secure data disposition will become increasingly critical to an enterprise’s overall data governance efforts

Managed Privacy Canada has recently introduced a privacy Playbook (the 2021 P3) aligned with industry thought leadership and compliance standards, to jump start your privacy compliance efforts. For more information visit:

Co-authored by : Anindita Bose, Privacy Advisor at Managed Privacy Canada & KnowledgeFlow Cybersafety Foundation

For additional insights and certified expertise:
Email: [email protected]
Twitter: @managedprivacy

[1] Savoie, A., Thibodeau, M., Castillero, M. B., & Holmes, N. (2020, November 17). Canada’s Federal Privacy Laws – No. 2007-44-E. Retrieved February 23, 2021, from

[1] Cyber Risks. (2019).Implications for the Insurance Industry in Canada.


Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on email

Sign up for our Newsletter

Scroll to Top