Data privacy is driving the European Union’s General Data Protection Regulations (GDPR) in the UK, and yet it’s widely felt that banks and other financial services institutions have run out of time to find ways to comply with the requirements. Looming on the horizon for failing to comply is a dark cloud of significant financial penalties.
Ashton Young, writing for Data Centre News on 26th July 2017 in his article ‘Majority of Organisations Think They’re GPDR Compliant Actually Aren’t’, says a global study by Veritas says the fines that could be imposed for non-compliance could be up 4 percent of global annual turnover or 20 million euros – whatever is the greater – writes Graham Jarvis, Business and Technology Journalist.
Lars Davies, CEO of award-winning payment solutions start-up Kalypton, comments: “This is deliberate and removes the ability of organisations to argue that paying a small fine (typically the level issued by the Information Commissioner’s Office) is cheaper than following with the law. The ICO now has no excuse but to start enforcing the data protection regulations as it should have done under the earlier regime. Parliament will need to hold the ICO to account if it does not enforce the regime properly.”
The Veritas GDPR 2017 Report surveyed 900 business decision-makers across 8 significant countries, and despite 31 percent of the respondents believing that they are already compliant, Young says the study shows that they aren’t compliant to GDPR. In fact, Veritas believes that only 2 percent of the companies involved in the survey are actually complying with the regulations at the moment. So, there is currently a real gap emerging in the interpretation of the reality of being compliant and not being compliant. The organisations that think they are compliant – no matter which sector they operate in – will have a big shock if the truth be revealed that their compliance proves to be a figment of their imagination.
“Most banking and financial services companies are woefully behind” says Davies. He adds: “Actual figures are hard to come by, but the media is beginning to highlight the issue. See, for example ‘Businesses failing to prepare for EU rules on data protection’, The Financial Times, 18 June, 2017.” He also highlights a report in Risk.net, whose article headline and standfirst compare the demands created by GDPR to “boiling the ocean”, claiming that GDPR’s data demands are overwhelming the banks. It adds: “Re-papering of existing contracts could stretch beyond May 2018, forcing dealers to rely on regulatory forbearance.”
Problem and solution
A PwC blog and report talks about “Technology’s role in data protection – the missing link in GDPR transformation” PwC Partners Stewart Room and Peter Almond argue in their downloadable report that GDPR “delivers a fundamental change in how data controllers and data processors handle personal data.” They believe that the necessary protections required to safeguard personal data can no longer be considered as add-ons or as an afterthought within business operations. The two men think the protections now need to be “designed into the very fabric of data processing systems.”
In their opinion this means that banks, financial services organisations and indeed other firms in other sectors will need to re-examine how they “approach the use of technology in their organisations” because “European data protection law has always been concerned with how technology operates.” They add: “Indeed, the first proposals for harmonised pan-European laws were a response to technological developments.” Subsequently, as far back as 1968, the Council of Europe raised concerns about privacy in its deliberations about human rights.
For this reason, they believe that “data protections laws exist because it is believed that, without them, technology will enable or cause data controllers and processors to trample on fundamental rights on freedoms.” In other words, they find that technology is seen as the “principal problem that data protection law is try trying to solve.” As a result of technology being perceived to be the problem, it also has to find the solution to protect personal data. “If entities are storing too much personal data, for example, technology needs to deliver delete, erase, de-duplicate and minimise functionality”, they write.
Room and Almond nevertheless argue that data protection has in practice operated quite differently. Here’s what they have to say about it: “Despite technology being both the problem and the solution, technology systems have not been designed and deployed from the perspective of the requirements of data protection law. This is why we see so much debate over the retention and storage of personal data, so much confusion about the nature and whereabouts of personal data and so many technology-related cyber-security failures.”
They add: “From this perspective it might be said that the technology stack has been the missing link in data protection programmes over the years. The underlying reasons for these issues will no doubt continue to be a source of debate.” In their view, there is one thing that is absolutely certain: “In the new world of the GDPR, where tougher and more penetrative forms of adverse scrutiny are likely, instances of technology failure will be harder to excuse.”
Compliance is relatively free compared to the costs of non-compliance, but organisations may still find that they may need to invest in new technologies to enable them to comply with GDPR. Even so, the costs of investing in new technologies are relatively not that big compared to the potential costs of non-compliance. Davies therefore comments: “[Those] potential costs are huge, especially with Brexit. Prior to Brexit, organisations could rely on the overriding principle to enable data to move freely within the EU, even if the regulations were not fully in place, or if there were slight discrepancies in the way in which each member state enforced the rules. Now, the UK will have to implement the GDPR in full and, more importantly, enforce it in full if the EU is to recognise the UK’s regime as equivalent to that of the EU.”
“The Risk.net article mentioned above says that they expect the French and German regulators to police GDPR strictly but UK regulators to show ‘forbearance’”, he says before asking: “Why is the privacy of UK citizens less valuable? In any event, it won’t save UK Financial Institutions unless they are purely domestic operations.”
Payments and GDPR
“Payments involve personal records, and so organisations offering payments services within the EU must comply with the GDPR”, he explains before adding that Blockchain and distributed ledger technology (DLT) based systems “simply cannot comply with GDPR and yet we find that Fintech some organisations speak of implementing permissioned systems, others of implementing some form of encryption to provide pseudonymisation.” The problem is that many of these steps may not help.
“As Recital 26 of GDPR makes clear: ‘Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable person.’ He then points out that Recital 28 goes further and states: “The explicit introduction of “pseudonymisation” in this Regulation is not intended to preclude any other measures of data protection.”
For example, The Register’s article ‘Bitcoin-accepting sites leave cookie trail that crumbles anonymity’ explains why. The author of the article, Richard Chirgwin, writes: “Bitcoin transactions might be anonymous, but on the Internet, its users aren’t – and according to research out of Princeton University, linking the two together is trivial on the modern, much-tracked Internet. In fact, linking a user’s cookies to their Bitcoin transactions is so straightforward, it’s almost surprising it took this long for a paper like this to be published.” So, the pseudonymisation simply is not strong enough.
“Even if a blockchain or DLT-based system could ensure that data is kept private, and it is doubtful whether such a system can do so as they rely on any participant being able to validate any previous transaction in a chain, then every node in a blockchain or DLT must now comply fully with the GDPR, regardless of where that node is based”, comments Davies. He adds: “Any node passing on data that could identify an individual must ensure that every other node in the chain complies with the GDPR.”
New tech design
Despite this issue, he feels that new technology can help organisations to comply with GDPR, but it needs to be well-designed technology with data privacy in mind: “Most ‘new tech’ is new technology for the sake of it. To be classed as a solution, it needs to solve a problem. To solve a problem, that technology needs to be designed to meet the legal requirements, operational requirements, and technical requirements that pertain to that problem.”
“That is why we designed Tereon to provide distributed trust in private ledgers rather than DLT”, he says before elaborating: “The customer data is held only in the ledgers of their financial services provider. The audit trail relating to that data is shared widely so that the integrity of that data can be validated without having to expose the data or even the data traffic itself.”
Alun Thomas, an investor in Kalypton, believes that GDPR compliance needs to be a structured consulting process that is supporting by new technologies. “The argument is that if you manage the data cycle correctly; capturing it, maintaining it with control of access and authenticity and then destroy it, then the problem be it MiFID or GDPR or whatever is solved”, he claims. He believes that there is too much following the leader in Fintech, and so he thinks it’s important to go back to first principles to deliver tools that permit a radical change. When people jump on a bandwagon, there is no room for innovation and no space for improvement. All that you get is hype.
Top tips: Tech deployment
To assist banks and financial services organisations to comply with GDPR, Davies and Thomas offer 6 top tips for deploying new technology to solve GDPR and to protect data privacy:
- Read the regulation.
- Stop making excuses.
- Understand that you cannot derogate your responsibility to suppliers or third parties.
- Make sure that the technology you implement does not require the use of a regulatory sandbox.
- Make sure that your suppliers understand the requirements of the GDPR.
- Measure the ROI of this effort in terms of not just reactive compliance but in developing a differentiator of trust.
Davies then concludes: “This late flurry of activity to meet a regulation driven deadline is typical of the financial services industry. The industry really needs to get out of a reactive mode of operation and into a mode of operation that proactively considers security and privacy from the bottom up.” He also finds that there is an increasing “acknowledgement that financial services companies are really technology companies and that data is their biggest asset.”
So, in his opinion the objective has “therefore to be the trusted holder of sensitive customer data. This contrasts significantly with the business model of the likes of Google and Amazon, who provide loss-leading services to capture that data and monetise it.” At the end of the day, trust is a vital part of compliance.