Kalypton Speaks to Mobile Payments World About This GDPR Compliant Tech

Data pri­vacy is driv­ing the European Union’s Gen­eral Data Pro­tec­tion Reg­u­la­tions (GDPR) in the UK, and yet it’s widely felt that banks and other fin­an­cial ser­vices insti­tu­tions have run out of time to find to find ways to com­ply with the require­ments. Loom­ing on the hori­zon for fail­ing to com­ply is a dark cloud of sig­ni­fic­ant fin­an­cial pen­al­ties.

Ashton Young, writ­ing for Data Centre News on 26th July 2017 in his art­icle ‘Major­ity of Organ­isa­tions Think They’re GPDR Com­pli­ant Actu­ally Aren’t’, says a global study by Ver­itas says the fines that could be imposed for non-compliance could be up 4 per­cent of global annual turnover or 20 mil­lion euros – whatever is the greater – writes Gra­ham Jar­vis, Busi­ness and Tech­no­logy Journ­al­ist.

This is deliberate and removes the ability of organisations to argue that paying a small fine (typically the level issued by the Information Commissioner’s Office) is cheaper than following with the law. The ICO now has no excuse but to start enforcing the data protection regulations as it should have done under the earlier régime. Parliament will need to hold the ICO to account if it does not enforce the régime properly.”
- Lars Davies, CEO Kalypton

Woe­fully behind”

Most bank­ing and fin­an­cial ser­vices com­pan­ies are woe­fully behind” says Dav­ies. He adds: “Actual fig­ures are hard to come by, but the media is begin­ning to high­light the issue. See, for example ‘Busi­nesses fail­ing to pre­pare for EU rules on data pro­tec­tion’, The Fin­an­cial Times, 18 June, 2017.” He also high­lights a report in Risk.net, whose art­icle head­line and stand­first com­pare the demands cre­ated by GDPR to “boil­ing the ocean”, claim­ing that GDPR’s data demands are over­whelm­ing the banks. It adds: “Re-papering of exist­ing con­tracts could stretch bey­ond May 2018, for­cing deal­ers to rely on reg­u­lat­ory for­bear­ance.”

Prob­lem and solu­tion

A PwC blog and report talks about “Technology’s role in data pro­tec­tion – the miss­ing link in GDPR trans­form­a­tion” PwC Part­ners Stew­art Room and Peter Almond argue in their down­load­able report that GDPR “deliv­ers a fun­da­mental change in how data con­trol­lers and data pro­cessors handle per­sonal data.” They believe that the neces­sary pro­tec­tions required to safe­guard per­sonal data can no longer be con­sidered as add-ons or as an after­thought within busi­ness oper­a­tions. The two men think the pro­tec­tions now need to be “designed into the very fab­ric of data pro­cessing sys­tems.”

In their opin­ion this means that banks, fin­an­cial ser­vices organ­isa­tions and indeed other firms in other sec­tors will need to re-examine how they “approach the use of tech­no­logy in their organ­isa­tions” because “European data pro­tec­tion law has always been con­cerned with how tech­no­logy oper­ates.” They add: “Indeed, the first pro­pos­als for har­mon­ised pan-European laws were a response to tech­no­lo­gical devel­op­ments.” Sub­sequently, as far back as 1968, the Coun­cil of Europe raised con­cerns about pri­vacy in its delib­er­a­tions about human rights.

For this reason, they believe that “data pro­tec­tions laws exist because it is believed that, without them, tech­no­logy will enable or cause data con­trol­lers and pro­cessors to trample on fun­da­mental rights on freedoms.” In other words, they find that tech­no­logy is seen as the “prin­cipal prob­lem that data pro­tec­tion law is try try­ing to solve.” As a res­ult of tech­no­logy being per­ceived to be the prob­lem, it also has to find the solu­tion to pro­tect per­sonal data. “If entit­ies are stor­ing too much per­sonal data, for example, tech­no­logy needs to deliver delete, erase, de-duplicate and min­im­ise func­tion­al­ity”, they write.

Room and Almond nev­er­the­less argue that data pro­tec­tion has in prac­tice oper­ated quite dif­fer­ently. Here’s what they have to say about it: “Des­pite tech­no­logy being both the prob­lem and the solu­tion, tech­no­logy sys­tems have not been designed and deployed from the per­spect­ive of the require­ments of data pro­tec­tion law. This is why we see so much debate over the reten­tion and stor­age of per­sonal data, so much con­fu­sion about the nature and where­abouts of per­sonal data and so many technology-related cyber-security fail­ures.”

Rel­at­ive costs

Com­pli­ance is rel­at­ively free com­pared to the costs of non-compliance, but organ­isa­tions may still find that they may need to invest in new tech­no­lo­gies to enable them to com­ply with GDPR. Even so, the costs of invest­ing in new tech­no­lo­gies are rel­at­ively not that big com­pared to the poten­tial costs of non-compliance. Dav­ies there­fore com­ments: “[Those] poten­tial costs are huge, espe­cially with Brexit. Prior to Brexit, organ­isa­tions could rely on the over­rid­ing prin­ciple to enable data to move freely within the EU, even if the reg­u­la­tions were not fully in place, or if there were slight dis­crep­an­cies in the way in which each mem­ber state enforced the rules. Now, the UK will have to imple­ment the GDPR in full and, more import­antly, enforce it in full if the EU is to recog­nise the UK’s régime as equi­val­ent to that of the EU.”

The Risk.net art­icle men­tioned above says that they expect the French and Ger­man reg­u­lat­ors to police GDPR strictly but UK reg­u­lat­ors to show ‘for­bear­ance’”, he says before ask­ing: “Why is the pri­vacy of UK cit­izens less valu­able? In any event, it won’t save UK Fin­an­cial Insti­tu­tions unless they are purely domestic oper­a­tions.”

Pay­ments and GDPR

Pay­ments involve per­sonal records, and so organ­isa­tions offer­ing pay­ments ser­vices within the EU must com­ply with the GDPR”, he explains before adding that Block­chain and dis­trib­uted ledger tech­no­logy (DLT) based sys­tems “simply can­not com­ply with GDPR and yet we find that Fintech some organ­isa­tions speak of imple­ment­ing per­mis­sioned sys­tems, oth­ers of imple­ment­ing some form of encryp­tion to provide pseud­onymisa­tion.” The prob­lem is that many of these steps may not help.

As Recital 26 of GDPR makes clear: ‘Per­sonal data which have under­gone pseud­onymisa­tion, which could be attrib­uted to a nat­ural per­son by the use of addi­tional inform­a­tion, should be con­sidered to be inform­a­tion on an iden­ti­fi­able per­son.’ He then points out that Recital 28 goes fur­ther and states: “The expli­cit intro­duc­tion of “pseud­onymisa­tion” in this Reg­u­la­tion is not inten­ded to pre­clude any other meas­ures of data pro­tec­tion.”

For example, The Register’s art­icle ‘Bitcoin-accepting sites leave cookie trail that crumbles anonym­ity’ explains why. The author of the art­icle, Richard Chirgwin, writes: “Bit­coin trans­ac­tions might be anonym­ous, but on the Inter­net, its users aren’t – and accord­ing to research out of Prin­ceton Uni­ver­sity, link­ing the two together is trivial on the mod­ern, much-tracked Inter­net. In fact, link­ing a user’s cook­ies to their Bit­coin trans­ac­tions is so straight­for­ward, it’s almost sur­pris­ing it took this long for a paper like this to be pub­lished.” So, the pseud­onymisa­tion simply is not strong enough.

Even if a block­chain or DLT-based sys­tem could ensure that data is kept private, and it is doubt­ful whether such a sys­tem can do so as they rely on any par­ti­cipant being able to val­id­ate any pre­vi­ous trans­ac­tion in a chain, then every node in a block­chain or DLT must now com­ply fully with the GDPR, regard­less of where that node is based”, com­ments Dav­ies. He adds: “Any node passing on data that could identify an indi­vidual must ensure that every other node in the chain com­plies with the GDPR.” 

Click here to read the entire art­icle on www.MobilePaymentsWorld.com