Privacy | RBS


Good information handling is integral to what we do. We understand that our customers not only trust us with their finances, but also expect us to do the right thing with their information.

So we take privacy and the protection of customer, client and staff data very seriously and our colleagues across the bank continue to work closely together to ensure the bank protects the information it holds. We endeavour to ensure we balance protecting customers' information, while also giving them options as to how they want to share and access their information (for example, the ability to use third-party aggregation apps).

The bank has updated, and where necessary introduced new processes and procedures to ensure its compliance with the new General Data Protection Regulation (GDPR). We also continue to closely monitor the impact of the Brexit negotiations on our privacy obligations and cross-border data flows, and we are liaising with industry bodies as appropriate.

We continue to maintain a close and open working relationship with our privacy regulators, including the Information Commissioner's Office (ICO) in the UK. The bank engages with the ICO proactively, liaising with the regulator on key projects and developments.

We care about being transparent and ensuring our customers can access the information we hold about them. We have seen an a strong increase in volume of Subject Access Requests compared to 2017, with the bank receiving more than 11 million requests from 1 January to 31 December 2018. The vast majority of these were PPI related information requests, an average of more than 938,537 per month (or 496 per month excluding PPI requests). Given the GDPR’s strong focus on empowering individuals to take back control of their data and hold organisations to account for their data processing practices, and also given the amount of publicity there has been about individuals’ rights, as well as the approaching deadline for PPI claim submissions, the overall volume increase in Subject Access Requests was anticipated. GDPR introduced a number of new subject rights. However, we have received a low volume of requests concerning, for example, objection to processing, erasure and data portability since 25 May 2018. This also was anticipated.

The statistics below show the number of Requests for Assessments (RFAs) that the bank has received from the ICO. Despite the increase in RFAs we remain pleased that the numbers, considering the overall size of our customer base, remain very low; including in particular the number of complaints that are ultimately upheld by the ICO. We believe that the increase in RFAs reflects the increase in complaints that the ICO has received since the GDPR came into force.


General Data Protection Regulation (or GDPR)

The regulation contains the new regulatory framework which regulates the processing of personal data within the European Union, setting out the ways in which information about living individuals may legally be collected, used and handled.

Information Commissioner’s Office (or ICO)

The ICO is the UK’s independent authority, set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

There are equivalent regulators in other EU Member States.


Payment Protection Insurance is a type of insurance product that enables a customer to insure repayment of credit should the customer become unable to make payments (e.g. through illness or loss of employment).

Requests for Assessment (or “RFA”)

The ICO may issue a Request for Assessment to organisations if it has concerns about that organisation’s compliance with applicable data protection legislation (e.g. if a customer makes a complaint).

Subject Access Request ( or “SAR”)

A SAR is a written request from an individual to see information an organisation holds about them. Organisations must provide the information subject to very limited exemptions.  In the UK, organisations must currently provide the information within 40 days of receipt of the request and can charge a maximum of £10 to respond to such requests.


Set Tab for lightbox