Door two
Financial Sector
Fintech, payments, and crypto carry two data obligations that land at the same time: privacy under the GDPR — including the personal data your KYC and screening generate — and ICT operational resilience under DORA. They run on the same systems and the same vendors. Privello covers both from one desk so they agree with each other, and coordinates with your financial-crime team where the two meet.
Do you need this
This engagement is for you if
- You are a payment institution, e-money firm, investment firm, crypto-asset service provider, or a fintech serving regulated financial entities in the EU.
- DORA has moved from a project on the roadmap to a supervisory expectation, and your ICT risk and third-party register are not yet where they need to be.
- Your customer due diligence and screening generate personal data, and the privacy side of that is nobody's clear responsibility.
- An enterprise partner or regulator has asked to see how your privacy and resilience controls fit together.
What it covers
Two obligations, one coordinated file
Data privacy and operational resilience are usually bought from two vendors. On the same systems, that produces contradictions. Privello runs them as one program — and keeps the privacy side of your financial-crime controls aligned with both.
Regulation (EU) 2016/679
Data privacy
Financial data is high-risk personal data. The engagement covers lawful basis, records of processing, DPIAs for scoring and screening, retention limits on due-diligence and KYC records, and the transfer mechanism behind any US or offshore processing — with GDPR breach notification lined up against DORA incident reporting.
Regulation (EU) 2022/2554 · from 17 Jan 2025
DORA resilience
The Digital Operational Resilience Act requires an ICT risk-management framework, a register of ICT third-party arrangements, major-incident reporting, and threat-led resilience testing. Privello builds the governance, the third-party register, and the incident playbook, and maps critical-provider dependencies.
Your KYC, customer due diligence, and sanctions screening generate personal data governed by the GDPR. Privello handles that privacy layer and coordinates with your AML function; it does not design or operate financial-crime controls. Regulation references describe the instruments Privello works with, for orientation, not as legal advice.
What you receive
Named deliverables
A defined set of documents and workflows that let your privacy and resilience obligations share the same evidence base.
Integrated risk assessment
One risk view across data protection and ICT resilience, so a single control can answer to more than one regulation.
DORA ICT framework
An ICT risk-management policy, a register of third-party ICT arrangements, and a major-incident reporting playbook.
Privacy for KYC & screening
The lawful basis, DPIAs, and retention rules for the personal data your customer due diligence and sanctions screening generate — the privacy layer over your AML controls.
Privacy for financial data
ROPA, DPIAs for scoring and screening, retention rules, and the transfer file behind offshore processing.
Vendor & third-party map
A single register of the processors and ICT providers that carry privacy and DORA weight at once.
Incident & breach alignment
A response plan that reconciles GDPR breach notification with DORA major-incident reporting on one timeline.
Every engagement is scoped in writing at a fixed fee before work begins — no hourly billing, no open-ended retainers.
How it runs
A four-step engagement
- 1. Scope. A working session to understand your licence, your systems, and where privacy and DORA bite hardest. Fixed scope, fixed fee.
- 2. Assess. An integrated gap assessment across privacy and DORA, mapped onto shared systems and vendors, flagging where your financial-crime data touches both.
- 3. Build. The frameworks, registers, and playbooks above, drafted so the three regimes reference one evidence base.
- 4. Hand over. A walkthrough with compliance, security, and engineering, so each obligation has an owner who can run it.
Common questions
Questions financial firms ask
Does DORA apply to us?
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) has applied since 17 January 2025 to a broad range of EU financial entities — including banks, payment and e-money institutions, investment firms, and crypto-asset service providers — and reaches their critical ICT third-party providers. If you are a regulated financial entity in the EU or serve one, it is likely in scope.
Why handle financial-data privacy and DORA together?
Because they overlap. Financial data is high-risk personal data under the GDPR, DORA incident reporting interacts with GDPR breach notification, and both sit on the same systems and vendors. One advisor keeps the two from contradicting each other; two separate vendors often do not.
Do you handle our AML or financial-crime program?
No. Privello's financial-sector work is data privacy and DORA operational resilience, not anti-money-laundering. Where your KYC, customer due diligence, and screening generate personal data, Privello handles the privacy side of that — lawful basis, DPIAs, retention, and the transfer file — and coordinates with your AML function or MLRO, who own the financial-crime controls themselves.
Are you a law firm?
No. Privello is a data-regulation consultancy. Its founder is a U.S.-licensed attorney, and that is stated as a credential only. Where a matter requires formal legal advice, Privello works alongside your qualified counsel rather than replacing them.
We are a US fintech with EU customers but no EU licence. Does any of this reach us?
Often, yes. The GDPR applies to offering services to people in the EU regardless of where you are established, and DORA reaches ICT providers that serve regulated EU financial entities — so a US company can be pulled into scope through its customers. The scoping session establishes which obligations actually bite before anything is built.
We already have a DPO or compliance officer. How do you fit in?
Alongside them, not instead of them. Privello builds the frameworks, registers, and playbooks; your DPO, compliance, or security team owns and operates them day to day. Most engagements exist precisely because the internal team is fully occupied running controls and has no capacity to build the integrated file a supervisor or enterprise partner asks for.
Begin
Line up privacy and DORA
Tell us about your licence, your systems, and where privacy and resilience are pulling against each other. We will outline how to run them as one program in a first conversation.