Today marks a pivotal moment in our journey. NewBanking, a name you've known and trusted, is evolving. We're thrilled to announce our rebranding to Meo – a name that resonates with our core mission and vision. Meo, meaning ‘My’ or ‘Mine’ in Latin, is more than just a name. It's a declaration of our unwavering commitment to individual data ownership and privacy.

‍

Why Meo?

In an era where digital footprints are expanding rapidly, the importance of data privacy can't be overstated. Meo is our answer to the growing need for control over digital identities and personal data. This new name embodies our belief that everyone should have the power to manage their digital presence securely and effortlessly. "Meo is uniquely built with Privacy by Design at its core, placing individuals firmly in control of their data, simplifying GDPR and CCPA compliance and acting as a responsible custodian of identities," states Christian Visti, our CEO. Meo is not just a service; it's a promise to uphold the highest standards of data privacy and give back control where it belongs – in the hands of individuals, accessible by you with their consent.

‍

Simplicity in complexity

The digital world, with all its opportunities, brings a complexity that can be daunting. Our role at Meo is to cut through this complexity, offering a platform that simplifies and streamlines everything related to compliance and data management. Whether it's onboarding and managing digital identities or ensuring regulatory compliance, we're here to make these tasks as seamless as possible. Our goal is to take the burden off your shoulders, letting you focus on what you do best, while we handle the intricacies of data privacy and compliance.

‍

Meo: Empowering compliance professionals

To our dedicated compliance professionals, we understand the challenges you face daily. With Meo, we're not just offering a tool; we're providing a partnership. Our platform is designed to enhance your capabilities, making you more efficient and effective in your role. "Our renewed product vision focus on supporting the complex nature of business verification, case management, custom risk modelling and automated scoring, rule-based AML checks, and superior UBO clarification - all while elevating the user experience to unprecedented heights," says Steffen Bilde, our Chief Product and Technology Officer. The transition to Meo means access to more advanced features, more robust support, and a community committed to excellence in AML compliance. In short, Meo is your superpower in the complex world of data privacy and regulatory compliance.

‍

What stays the same?

While our name changes, our foundational principles remain steadfast. We continue to offer top-notch tools to onboard and manage digital identities (businesses and individuals), reduce risk, and ensure regulatory compliance. What changes is our enhanced focus on trust, transparency, and security – without any compromises.

‍

What's next?

As we step into this new chapter as Meo, we're excited about the possibilities ahead. For our existing customers, this transition is a step up in the services and value you will receive. For those considering joining us, welcome to a new era of onboarding and managing digital identities and personal data with unmatched ease and security.

Keep an eye out for more exciting updates as we continue to evolve and enhance our offerings. Together, let's embrace the future with Meo – where your digital identity and data privacy are in safe hands.

Learn what a Politically Exposed Person list is.

PEPs, or Politically Exposed Persons, are individuals who are involved in politics or hold high office in governments, just to mention a few examples.

If your business is subject to Anti-Money Laundering (AML) laws and regulations, it’s important that you can determine whether you’re involved with PEPs as they are often come with a higher risk of money laundering and financing of terrorism.

On this page we try to answer ‘what is a PEP’, and all other questions regarding the Politically Exposed Person list:

• What is a PEP (Politically Exposed Person meaning)?
• How does a PEP list work?
• What do you need to do as a business if you have a client who is a PEP?
• How the Meo platform can help you check your clients identity and do PEP screenings.
• Fight financial crime with thorough PEP screenings
• Recent changes in PEP legislation
• Identification of PEPs

What is a PEP?

What is the meaning of PEP? A PEP (Politically Exposed Person) is an individual who has a high-ranking job in a government or some other type of political position. In other words, it’s a person who possesses a certain form of political and institutional power.

Because of that power they’re considered high risk in relation to money laundering, blackmail, bribery and other types of corruption – both voluntary and involuntary. Spouses, family and close business partners are also considered PEP, as their relationship can be exploited by criminals to pressure the person in the position of power.

Examples of PEP typically include:

• Politicians
• Leaders of government or state
• Judges and members of the court
• High-ranking members of the Central Bank
• Ambassadors
• High-ranking officers in the Defense Forces
• Spouses and children of the people above
• Close business partners and connections of the people above

The Anti-Money Laundering Directive requires all businesses subjected to the directive to be extra careful when they have clients or customers who are PEPs – and therefore constitutes an elevated risk.

Because of this, it can be difficult for businesses to evaluate, by themselves, whether a current or potential client is a PEP. For that reason EU governments have established lists of present and former PEPs, the so-called PEP lists.

What is a PEP list?

A PEP list is an overview of people who are presently or have formerly been classified by the EU as a Politically Exposed Person. But, what does a Politically Exposed Person mean?

The purpose of the Politically Exposed Person list is to make it easier for businesses to assess whether their clients are subject to aggravated circumstances. Every European government has its own PEP list that they maintain.

It’s important to note that the lists are not seen as sufficient evidence of PEP status. It’s possible that a person is considered a PEP despite not appearing on the list, or if they have not yet been added.

The fact that the Politically Exposed Person lists are incomplete – as well as the fact that spouses, close business partners, amongst other examples, are also considered PEPs – makes it difficult for businesses to live up to the PEP requirement without accessing external data sources that have specialized in maintaining updated lists with all people defined as PEPs.

In these cases, a platform like Meo can help. With our AML solution you can quickly and easily perform PEP checks of clients and customers by screening a number of PEP lists all over Europe.

What do you need to do as a business if your client is a PEP?

If you get involved with a PEP client, you need to conduct an enhanced KYC check (meaning Know Your Customer) and implement greater supervision and more audits of their business venture.

How you conduct an enhanced KYC check, you can read more about in our article about KYC (Know Your Customer).

The audit itself can, among other things, consist of your company investigating their financial transactions more carefully as well as evaluating your client relationship in relation to their current risk assessment.

Meo makes it easy to perform a security check and cross-reference with PEP lists
With Meo’s platform you can easily verify your clients’ identity and cross-reference with a number of well-established Politically Exposed Person lists.
Furthermore, our platform ensures that your clients’ personal data is handled responsibly and in accordance with GDPR.
See all features

Fight financial crime with thorough PEP screenings

If you want to fight financial crime, you need to be aware of PEP lists. It is necessary to be aware of PEPs as it is essential for employees and management to be able to identify these people and handle them correctly and safely in order to avoid financial crime.

On a global scale, bribery and corruption are major problems and there are many examples of attempts to do exactly this to PEPs, therefore common international standards have been established to combat them. The definition of PEPs as well as the requirements for handling PEP transactions are determined based on international standards and on experience gathered over a number of years from authorities around the world.

Recent changes in PEP legislations

An important element of the new anti-money laundering rules is that companies must adopt a risk-based approach and conduct risk assessments of each individual customer relationship. This also applies to the rules on PEPs.

In addition, the knowledge and monitoring must be based on a risk assessment, meaning that companies must strengthen their efforts and monitoring of PEPs that are known to have a greater risk of exposure to money laundering, including bribery, etc.

Additional customer due diligence procedures and additional monitoring must be carried out as deemed necessary by the individual firm to ensure full compliance with the legislations.

Identification of PEPs

Rules on identification of PEPs are put in place as a preventive procedure and should therefore not be interpreted as stigmatizing PEPs as people engaging in criminal activities. Thus, companies have no grounds for refusing to proceed with a customer relationship or closing existing customer relationships solely on the fact that a person is a PEP or a close associate or business partner of a PEP.

PEPs should always be aware that they and their close associates and business partners may at any time be asked to explain or document their finances or other transactions.

Related parties and close collaborators

Related parties and close partners are not considered PEPs solely on the basis of their relationship with a PEP. However, they need to be identified because they may benefit from or be taken advantage of in relation to money laundering, corruption or bribery.

Related parties

The definition of a close relative of a PEP includes:

• Parents
• Spouse, cohabitant or registered partner
• Children and their spouses, cohabitants and/or registered partners

This means that the term does not affect siblings or stepchildren and stepparents e.g.

Close partners

The definition of close business partners of a PEP includes:

• A person who is the owner of a business or other legal entity together with one or more PEPs.
• A person who has a close business relationship with one or more PEPs. For example, a trading partner.
• A person who is the owner of a company or other legal entity established solely for the benefit of a PEP. This means that the person controls all the ownership interests or voting rights, etc. directly or indirectly.

This means that positions that would not be considered as PEPs are, for example, a person participating in board work together with a PEP.

Introduction to CDD

CDD, or Customer Due Diligence, is an important concept to know – especially for businesses that are subject to anti-money laundering laws, regulations, and directives. What is CDD in banking for example?

Following the EU’s latest money laundering directive (AML 5) which was issued in 2020, there have been a number of changes to money laundering laws in Europe. The biggest change is that businesses were obliged to transition to an anti-money laundering (AML) risk assessment model that demands more of businesses and their ability to correctly assess their customers and client relationships – which is where CDD comes into the picture.

In this article we comprehensively explain what CDD is – and answer the most frequently asked questions about the subject.

What is CDD?

CDD is an acronym for ‘Customer Due Diligence’.

The term applies to all procedures that a business uses to verify the identity of their customers or clients, as well as assess their background information and risk level. A number of these activities need to be completed before the potential client actually signs a legal contract and becomes a client.

Both individuals and other businesses can be subject to a CDD investigation.

Why is Customer Due Diligence important?

There are quite a few good reasons for businesses to have proper Customer Due Diligence procedures and checklists in place when you need to assess potential clients:

• To protect your business against potential risks.
• To make the best possible decisions as a business.
• To comply with current laws and regulations.
• To guard the business against deception and malpractice, such as identity theft.
• To help the business identify unusual behavior with the business’ clients.

For these reasons, a procedure regarding Customer Due Diligence is a necessary tool for many businesses, in particular businesses subject to anti-money laundering laws and regulations.

Read more about the danish Anti-Money Laundering Directive (Hvidvaskloven).

Customer Due Diligence checklist

What is CDD, and how do you handle this process? CDD data consists of information regarding a customer or client that makes it possible to assess to what extent the client might put the business at risk of being misused for money laundering or the financing of terrorism.

This data can – among other things – consist of:

1. The client’s identity

Names, photos, addresses, and birth certificates can all be used to identify a client.

2. Background check

A part of the initial CDD also pertains to PEP screenings that assess whether the client is a so-called PEP (Politically Exposed Person). This could, for example, be to investigate whether the client has or is involved in scandals or other troubling activities (information that is typically publicly available). This is called Adverse Media Screening.

3. Ownership

If your client is a company or organization, it’s important to ascertain ownership of the businesses: who owns the business? If ownership is shared, who owns how many shares of the business?

4. Customer relationship

It’s equally important to understand and get an overview of the professional relation between you and your potential client. How is this relation? What is the purpose of the partnership?

Enhanced Due Diligence (EDD) for high-risk clients

Certain clients – for example, PEPs – have a higher risk profile than others. In these cases, it’s important to implement procedures defined as Enhanced Due Diligence (EDD).

With Enhanced Due Diligence you investigate the potential client’s:

Legal matters

Has the person or business previously been convicted, or involved in a crime? Are there any contractual relations that need to be accounted for? Questions like these illustrate the importance of Customer Due Diligence and Enhanced Due Diligence.

Finances and taxes

How are their financial statements? Are there any obvious tell-tale signs of illegal activities?

Shares

Does everything add up when it comes to the person’s/business’ physical shares and commodities, including offices and production facilities?

On-going control and assessment

You can implement an enhanced, on-going control and surveillance of the client’s business.

Who can benefit from a Customer Due Diligence checklist?

There are different types of companies and organizations that can benefit from using Customer Due Diligence checklists as part of their KYC processes. These include, among others:

• Companies dealing with customers in general
• Such companies can benefit from having a CDD checklist to help them avoid legal or financial problems that may arise from not conducting thorough due diligence on customers. By following the steps in the above checklist, the company can ensure that the necessary precautions are taken to avoid potential risks and problems.

• Businesses obliged to comply with AML rules
• Anti-money laundering (AML) regulations require businesses to put in place additional measures to prevent the financing of criminal activities. Part of these regulatory requirements include the completion of the CCD. By using a checklist, businesses can make sure they are compliant with AML rules on an ongoing basis.

• Any organization or financial institution that wants to protect itself from the financial risks associated with customers

Documentation to help companies identify and assess potential threats from their customers can be quite beneficial. By putting in place and ensuring proper measures to mitigate these risks, businesses can protect themselves from any financial losses that may arise as a result.

What are the risks of not completing a Customer Due Diligence checklist?

First of all, your company could end up being liable for any losses incurred by the other party as a result of your company’s negligence

Secondly, your business may be subject to civil or criminal sanctions if it is discovered that you have participated in money laundering or other financial crime, even if unknowingly.

Thirdly, your company may miss important information about the other party that could be crucial to a decision-making process.

Finally, your company may be blacklisted for non-compliance with regulatory requirements or by financial institutions if it turns out that business has been conducted with individuals or entities in high-risk categories.

Customer Due Diligence in connection to money laundering

CDD procedures are invaluable for businesses that are subject to Anti-Money Laundering (AML) laws and regulations, as they’re necessary to conduct the individual clients’ risk assessments.

In many cases there is a need for both CDD (Customer Due Diligence) and KYC (Know Your Customer) information in order to get a proper overview of the client’s risk profile and simultaneously verify their identity". The business’ KYC procedure describes what tasks are necessary to perform before the business can credibly say that they know their client.

For example, CDD and KYC procedures are necessary for:

1. New clients

Before a potential new client becomes an actual client, their identity needs to be verified and undergo a risk assessment.

2. Single transactions

Businesses in the financial sector as well as banks are required to investigate and evaluate whether clients are demonstrating suspicious behavior. This could for example be when making a substantial transaction or when dealing with high-risk countries.

3. Suspicion of money laundering

A through background check of the client is also necessary if you have a suspicion that they might be involved in criminal activities, such as money laundering.

4. Faulty or lacking documentation

If a client is unable to provide valid or approved identity documents then the business needs to perform a CDD check.

Streamline your Customer Due Diligence procedure with Meo

Meo is a software platform developed to handle information and data about your clients in a secure and centralized fashion.

With Meo you get:

A safe and automated onboarding

You can define and obtain the required information from your clients – directly in the platform.

A comprehensive overview

All relevant information about your clients are stored in one easy-to-use platform. It gives you a grand overview and ensures that you’re compliant with GDPR. You can also tag clients for easy organization.

Automated processes

With Meo it’s possible to integrate processes that automatically screens your clients against PEP lists.

What are some of the warning flags when it comes to CDD?

Warning flags that appear during a Know Your Customer (KYC) check should be carefully examined before making a decision on whether to initiate or continue the business relationship. These warning flags can vary from company to company and industry to industry, but common warning flags to look out for during a CDD check include, for example

• Customer information provided does not match the documentation available in the audit
• If the ownership picture is unclear or includes foreign companies and/or persons
• There is a lack of registration of a beneficial owner
• One or more of the company’s representatives are on PEP or sanctions lists
• If the company’s representatives are involved in other companies that are assessed as high risk
• If the industry in which the business operates is particularly prone to money laundering, such as cryptocurrency trading or bookmaking and betting
• If the company’s activities include cash handling

And the list goes on and on. However, the most important thing is to be aware of and responsive to customer information and behavior to avoid unnecessary risk.

Who is Meo?

Who are we at Meo and why do we help with CDD in banking and other organisations and fields?

At Meo we work with KYC procedures and Customer Due Diligence in several different institutions and organisations. Our previously mentioned software-as-a-service helps to streamline these processes and handle data and exchanges correctly and securely in compliance with GDPR.

We have for many years worked with several types of organisations with everything from AML, data security, compliance checks, PEP lists and general knowledge sharing within RegTech. Our digital solution assists with efficient CDD by checking PEP-lists and thorough background checks.

You are very welcome to contact us to learn more about our software and digital solutions, as well as our onboarding. Sign up to receive our newsletter, where we regularly send information and knowledge sharing on everything from ’what is CDD and how to be aware of money laundering’.

KYC (Know Your Customer)

KYC is about knowing your customers and clients so your business can avoid getting involved with organizations that commit crimes, launder money or fund terrorism.

In this article we explain:

• What is KYC (Know Your Customer)?
• What type of businesses are subject to Anti-Money Laundering (AML) laws and regulations, as well as KYC?
• What requirements does international law – including the EU Anti-Money Laundering directive – have regarding KYC?
• How can your business make sure you know your customers & clients?

With Meo you get a thorough and easy-to-use Know Your Customer platform that – from first contact with your client till the customer relation expires – can verify and document your clients’ identity and perform a KYC-check in real time.

Read more about the platform here or contact us to hear more about how we can help your company with KYC compliance.

What is KYC?

KYC is an abbreviation for “Know Your Customer.”

The term is especially used in finance because banks, accounting firms, lawyers, and private equity funds all have to document their clients’ identity so that governments. Basically, it must be documented where money is coming from and going to.

This is meant to prohibit or stand in the way of money laundering and black money that has been obtained by criminal means. If they are unable to supervise or audit the flow of money, it can undermine confidence and trust in financial organizations and companies whose business is dependent on stocks, investments and the greater financial market.

If you do not fulfill the demands of KYC, it can result in fines, penalties, sanctions, and even prison sentences. The exact amount or extent depends on local laws and regulations. A 2020 Financial Times article found that: “[...] AML fines in the initial six months of 2020 reached a total of $706m, compared with last year’s aggregate of $444m.”

What businesses and organizations are subject to the Anti-Money Laundering (AML) directive and KYC?

Many different types of businesses, including all companies and organizations involved in finance and the financial sector, are subject to anti-money laundering laws and regulations – and therefore KYC.

This applies, but is not limited, to:

• Banks, financial institutes and merchant banking
• Credit-, currency- and securities businesses
• Foundations and stock brokers
• Lending firms
• Providers of financial leasing
• Insurance companies
• Accountants and accountancy firms
• Founders of businesses
• Lawyers and attorneys
• Realtors
• Businesses that deal in valuables whose worth exceeds €15.000

What requirements does the law and regulations have in regards to KYC?

The overall directives and regulations regarding knowing your customer are best exemplified in European law by the Anti-Money Laundering (AML) Directive. Among other things, it states that businesses need to perform risk assessments, verify the identity of their clients or customers, and report if they have suspicion of money laundering or other types of fraud.

Risk assessments are structured procedures, wherein you evaluate the risk as objectively as possible and approach each client individually, instead of treating them uniformly.

That means that you are required to have clear guidelines and policies in place regarding the risk of being involuntarily involved in money laundering and financial crimes, as well as supporting your employees with counseling and well-established procedures for when and how you are obliged to report money laundering, if you are not able to refute your suspicions.

In addition, you need to be able to document your vetting and verifications of, among other things, your clients’ identity. It’s futile to perform an audit if you are unable to document your findings afterwards. A typical error often made in this approach is when you manually assess copies of passports and driver’s licenses. Here it is necessary to not only vet the documents to ascert their legitimacy, but also document that you’ve performed the verification.

With a KYC Platform such as Meo you can automate much of the process, while simultaneously documenting that you are complying with GDPR and other data protection laws while handling personal data.

How do you perform an audit or check of your client’s identity?

Your vetting and verification check of your clients’ identity is built upon your risk assessment and the identified risk. Afterwards, you can conduct an audit under strict or relaxed procedure.

Strict procedures for physical persons can, among other things, be a request for a copy of their passport, a physical meeting or further demands regarding the terms of your expected shared business.

If it’s regarding a legal entity, you can request founding documents, articles of association and make more comprehensive requirements for the description of the business scope.

A KYC check requires the retrieval of personal data documenting the client’s identity. As a starting point this includes name and social security number or legal entity identifier (LEI), depending on whether you’re assessing a person or a legal entity. With this method you can verify and check your client’s identity – and thereby comply with KYC standards.

This identifying information needs to be vetted via an independent and credible source. That means the documents need to be verified and compared with other registries or sources that can validate addresses, passports or names.

For both persons and legal entities you need to – if relevant – obtain information about the goal of the business venture and the extent of your relation.

How often do you need to check your client’s identity?

You need to vet your client’s identity at the start of every business venture – and if there are changes in your client’s circumstances, as well as at appropriate times.

With high-risk clients the procedure can be repeated once a year, whereas with Low-Risk Clients a check every five years can suffice.

The extent of the KYC check depends on the risk assessment of the client. In cases where you assess that there is a low risk of money laundering, you can perform a more lax KYC check. You could, for example, choose not to obtain updated documentation, provided that the identification papers (ID), you received originally, still are legally valid.

Remember to check for PEP (Politically Exposed Person)

As a consequence of the latest Anti-Money Laundering Directive from the EU, you are now also required to determine whether the person is a PEP (Politically Exposed Person).

Politically exposed people are individuals whose political position or relation makes them a high risk target for money laundering. That’s because they’re more likely to be exposed to blackmail, bribery or in some other way (voluntary and coerced) be involved in financial crimes.

This can be done by cross-referencing with publicly available information and databases, also known as PEP-lists.

It’s important to be aware that these lists are not sufficient in order to indicate whether a person is considered a PEP – they’re only lists of the people that local governments have reported as explicitly politically exposed.

Spouses, business partners etc. of people on the PEP-lists are also considered PEPs. That makes it especially difficult for businesses to comply with the PEP-requirements without using external data sources that specialize in maintaining updated lists of all persons, that can be defined as PEP.

Meo works together with a number of external data vendors that have specialized in having updated PEP-lists that cover a wide variety of nationalities and sectors

Data Processing & Compliance

GDPR (General Data Protection Regulation) sets a high standard for data processing of personal data, and how you document your actions. For that reason it’s important that you know what personal data is and how they’re processed correctly.

In this article we dive deep into data processing and explain:

• What is data processing and what is considered sensitive data?
• What requirements does GDPR set for your data processing?
• How do you process personal data correctly?
• What’s in a data processing agreement?
• What’s the difference between a data processor and a data manager?

What is data processing and what is sensitive data?

Data processing is any activity in which personal data is collected, registered, stored, analyzed, transmitted, deleted, sold etc. The term is defined so broadly that any contact with personal information is basically considered as data processing.

Data, in this case, is defined as formalized information that is typically handled by a machine or a computer.

Most businesses and organizations will, in one form or another, handle or process some type of data, most often personal data. The GDPR defines personal data as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Typically, personal data is divided into two categories. Some countries also have a third category while others consider the category “Confidential personal data” to be of the same category as sensitive data.

• General or common personal data: names, e-mail addresses, place of residence, place of employment, and other factual information that is publicly available.
• Sensitive personal data (‘Special category of personal data’): Health records, information about a subject’s ethnicity, religion, or sexual identity. This data is more personal, and should therefore be handled with greater care.
• Confidential personal data: social security numbers, criminal records and other classified information that needs to be regulated separately.

What requirements does GDPR set for your data processing?

According to the GDPR all personal data needs to be handled and processed particularly and sensitively. The more personal or private the information, the more rules and regulations you have to uphold during the processing of the data.

If you want to know more about how you should protect your clients’ personal data, you can read our article about data security.

Here is a concrete example on what the GDPR demands of you when you process data: A business needs to verify whether a given name actually belongs to the client. This is a requirement under KYC as defined in the Anti-Money Laundering Directive. Here you are required to use authoritative data sources that verify the credibility of the information. You could for example do this by seeing a copy of their passport or driver’s license. You are then required to document that you’ve verified their identity. All of this data processing needs to happen in accordance with the GDPR.

Is there a difference between data handling and data processing?

Data handling and data processing is often used interchangeably.

However, you could say that data processing is the overall term for both data handling and data utilization.

Data handling can be seen as an almost passive or non-transformative processing of data, whereas with data utilization, you do something with that data, such analyzing, deleting, or changing it.

How do you process personal data correctly?

In order to process personal data correctly, you need:

• The legal right and a legitimate purpose
• Consent from the person whose personal data you’re processing
• A data processing agreement

A legal right and a legitimate purpose are prerequisites whenever you process personal data. Your rights are limited by whether you’re processing general or sensitive personal data.

You need consent from the person whose personal data you’re processing. This needs to fulfill a number of requirements: it needs to be voluntary, limited or specific, informed, and unambiguous. Furthermore, you need to document and verify that you’ve obtained the consent correctly.

There are exceptions as to when a business can get consent. This could be if, for example, it’s necessary out of care and due diligence to the person, or if there is a legitimate reason for the data manager that isn’t superseded by the subject’s own interests.

You can read more about consent on GDPR.eu.

Thirdly, businesses need a data processing agreement. This is a contract which contains instructions for the data processor on how to process the information. This agreement is between the data manager and data processor.

What’s in a data processing agreement?

A data processing agreement needs to give clear instructions to the data processor concerning how the information should be handled and processed. It’s a legally binding document that needs to be in writing and kept electronically.

The purpose of the agreement is to ensure that the personal data is treated and processed responsibly and securely. It’s also important that it contains requirements for how and when to contact the data manager if there’s suspicion of a security breach or misuse. If your business is the data processor it’s your responsibility to inform the data manager about suspicions of misuse or data breaches.

As part of the instructions the data processor should also be required to perform yearly, or by agreement, audits to document that they’re following the instructions and current laws. This can be done through an audit report that needs to be certified by an external auditor.

You can find a template for a data processing agreement on GDPR.eu.

What’s the difference between a data processor and a data manager?

The data processor and the data manager are not the same person.

The data manager is the party that determines which data to process, to what purpose, and using which tools. The data manager defines the ground rules for how the data ought to be processed.

On the other hand, the data processor is the party that performs the actual processing on behalf of the data manager.

It’s important to separate the two, because they have different requirements. One party, the data manager, ensures that the data processing is GDPR compliant, whereas the other party, the data processor, takes responsibility for acting in accordance with the given instructions.

Easier data processing with Meo

With Meo you can easily find the information you need about your clients using a simple search. And personal data is deleted or properly archived, whenever a business relation ends.

The platform makes sure that you comply with GDPR and makes it easy to handle data for:

Onboarding

Onboard your clients using secure channels.

Validation

Determine your requirements for validation of information.

Documentation

Full log and tracking of actions and access.

A Business Obligation

Businesses that process personal data and information are obligated to protect said data. Data security is a foundational premise if you work in the financial services or sector – but it’s also a necessity if you handle or process any form of data.

In this article we explain:

• What is data protection?
• Technical data protection
• Organizational data protection
• How to manage breach of data protection

With Meo you can simplify the process of protecting your clients’ personal data – from first contact till the end of your business relationship. Our solution ensures that you comply with GDPR and Anti-Money Laundering (AML) laws and regulations in all of the EU.

Read more on holistic profiles

What is data protection?

Data protection is a catch-all term for all security measures and safeguards that protect your own – and your clients’ – data.

All businesses in the EU are obligated under GDPR (General Data Protection Regulation) to protect their customers’, employees’ and other partners’ data – including their personal data. This applies to both internal (people in the organization) and external (for example, hackers) parties.

It’s up to the business itself to implement sufficient safety measures that protect data. These safeguards are usually categorized as either:

• Technical security measures or precautions
• Organizational security measures or precautions

The appropriate degree or extent of such measures for your business is up to you. This requires, among other things, that you make a Data Protection Impact Assessment (DPIA) and a consequence analysis of your data protection. You can find a template for a Data Protection Impact Assessment (DPIA) on GDPR.EU.

Furthermore, it’s important that you can document that you’ve installed or implemented the necessary measures, and that you subsequently and regularly evaluate whether they’re sufficient in order to protect the personal information you process.

There are a number of internationally recognized standards for data protection, such as:

• ISO 29151
• ISO 29134
• ISO 27001

They can be read in full on the International Organization for Standards’ website.

As a data manager and as a data processor it’s important that, even if you’re following the standards and guidelines, this is not synonymous with complying with GDPR. For that reason it’s important that you have a systematic, professional, and structured approach to the job. If you process sensitive personal data (‘special category of personal data’) it can be necessary to add-on or expand with subsequent protection measures.

Technical data protection

Technical data protection and safeguards are all forms of security measures that rely on digital tools and IT infrastructure. It exists predominantly on computers and servers.

This could, for example, be:

• Firewalls
• Passwords
• 2-factor authentication
• Encryption
• Logging of data handling
• Different administrative roles
• Storing data in levels (so a breach doesn’t give access to all data)
• Anti-virus
• Backup

Organizational data protection

Organizational data protection and safeguards are the type of data protection that involves people and processes. Data is secured by training employees and following guidelines that prohibit unplanned error or intentional breaches of personal data.

This term applies to:

• Procedures for data processing
• Clear distribution of roles and access
• Security courses
• Education of employees
• Risk- and consequence assessments
• Action plans for breaches of personal data

How to manage breaches of data protection

No data protection is fail-safe and fool-proof.

This is also acknowledged by the GDPR itself and by most of the regulatory agencies responsible for enforcing it in the EU.

In order to minimize the damage of a breach, it’s important that you have a clear action plan for when you might suspect that there’s been a breach of your security. This encompasses, but is not limited to, a clear division of responsibilities between data manager and data processor, how you report potential breaches to clients, and clear guidelines for how you report breaches to the relevant regulatory authorities.

With Meo you get AML and GDPR compliant data protection

With Meo, you get a software platform that protects your clients’ data and ensures you comply with Anti-Money Laundering (AML) laws and regulations.

Furthermore, the platform helps you verify your clients’ identity so you comply with KYC and CDD. Get more information about our security by reading our Security Whitepaper.