The law is in force, but the bank was not ready
When PDPA came into full effect, this leading commercial bank found itself in the same position many organizations faced. It served millions of customers and offered a wide range of products, from deposits, loans, and credit cards to insurance and investment services. Yet personal data was scattered across dozens of systems that had never been designed to work together from a privacy perspective.
A single customer’s PII could exist in Core Banking, CRM, credit card systems, loan systems, the call center system, and even the email marketing platform. Each system stored data in different formats and structures, and no one had a complete, unified view of any individual customer’s data.
Privacy governance was managed through spreadsheets and documents. There was no central system to manage customer consent across all channels. When customers exercised their DSR rights, staff had to contact system owners one by one, resulting in long turnaround times and a high risk of missing legal deadlines.
RoPA was also maintained manually and was never up to date, leaving the bank unprepared for regulatory audits.
PrivacyHub: Solving the right problem with Zero PII Storage
Enersys introduced PrivacyHub, a platform specifically designed to align with the security concerns of the banking sector.
At its core is Zero PII Storage — PrivacyHub does not store any personal data within its own system. Instead, it uses Pointer-Based Data Mapping to reference where data resides in source systems. No PII copies are created, data remains current at all times, and the approach aligns with the PDPA Data Minimization Principle.
The Data Inventory Module performs automated discovery to build an enterprise-wide map of personal data, showing what types of PII exist in which systems and how that data is being processed.
For consent management, PrivacyHub handles the full lifecycle — from collecting consent across all channels (mobile, web, branch, and call center) through API integration, to tracking status with a complete audit trail. When a customer withdraws consent, the system immediately notifies all relevant systems to stop processing data for that purpose.
For DSR, the system receives requests through a self-service portal, verifies identity automatically, searches data across all systems via pointer-based mapping, executes actions based on the request type, and tracks status with deadline reminders as due dates approach.
RoPA is generated automatically from data mapping and consent records, supported by a compliance dashboard that shows real-time status. The DPO can immediately see the overall picture and identify areas that require improvement.
Ready for audits, not just ready for fines
The most visible improvement was in DSR handling. What previously took several weeks now takes only a few days — a 73% reduction in turnaround time, with responses delivered consistently within legally mandated timelines.
The compliance score increased by 38% by closing gaps identified in the previous audit. Audit preparation time also fell by 57% because information and reports were continuously available.
Automated data discovery provided visibility into personal data across 92% of all systems, and the Privacy Office team improved productivity by 46% through the reduction of manual work.
This project became a model for transforming PDPA compliance from a legal burden into an organizational strength. PrivacyHub’s Zero PII Storage Architecture directly addressed the banking sector’s most critical security concerns.
