We operate in accordance with our Group Data Privacy, Data Protection and Management Policies, which articulate our commitment to collecting, using, and safeguarding customer and stakeholder data at a consistent and high standard. Our data and security management policies and processes are seamlessly integrated into our robust risk and control framework.
The Data Protection/ Privacy function reports to the Group Data Protection Office, led by the Group Data Governance Head for Data, Regulations and Standards. In 2023, we completed the consolidation of Privacy and Data Governance under Group Technology and Data in Malaysia, Indonesia, Singapore and Thailand. This allows CIMB to be agile and holistic in governing and responding to changes in non-financial laws and regulations pertaining to data and the responsible use of new technologies.
The Data Protection Office also serves as an advisor on the Privacy Principle of Security and liaison with the Privacy/ Data Protection regulator in countries that have such laws. Our regional teams engage independent assessors to evaluate our readiness for emerging legal requirements. Thailand and Vietnam enacted their Personal Data Protection laws in 2022 and 2023 respectively, and in line with these, CIMB Thai and Vietnam have rolled out policies and procedures under their Data Protection Office. CIMB Niaga also completed its first phase of readiness in 2023 for the enforcement of the law in 2024, with a review done in 2024.
The execution of the policies and framework is a shared responsibility among all employees, overseen through senior level governance forums. To ensure compliance, Data Protection Officers are appointed to monitor, enforce and update the organisation’s policies and procedures, aligning with local laws and regulations.
The Group Technology Steering Committee and Group Risk and Compliance Committee guides management decisions, including the oversight of outsourced service providers, while the Group Transformation Committee monitors technology and data plans, overseeing the implementation progress and ensuring alignment with business plans.
As part of CIMB's risk and control framework, we regularly conduct reviews to ensure our data, privacy and security controls and processes operate effectively.
As per our Code of Conduct, all employees are reminded of the consequences of breaching customer privacy and confidentiality of customer information. Any employee who breaches these laws will be subject to disciplinary action, which may include dismissal.
All employees are trained on their responsibility to safeguard customer information and data privacy as part of the Information Security Awareness compulsory e-learning. We provide comprehensive training to all our employees on these policies to ensure they are fully aware of our stance regarding data protection and confidentiality in the workplace. In cases of breaches, incidents or suspicious activities, employees are required to escalate concerns through established channels. Our Whistleblowing Policy clearly outlines the escalation process for reporting incidents, which enables employees to report concerns confidentially and securely. Reports on wrongdoings, malpractices or irregularities may be emailed to the designated whistleblowing channel, where matters will be investigated accordingly.