Data privacy is driving the European Union’s General Data Protection Regulations (GDPR) in the UK, and yet it’s widely felt that banks and other financial services institutions have run out of time to find to find ways to comply with the requirements. Looming on the horizon for failing to comply is a dark cloud of significant financial penalties.
Ashton Young, writing for Data Centre News on 26th July 2017 in his article ‘Majority of Organisations Think They’re GPDR Compliant Actually Aren’t’, says a global study by Veritas says the fines that could be imposed for non-compliance could be up 4 percent of global annual turnover or 20 million euros – whatever is the greater – writes Graham Jarvis, Business and Technology Journalist.
“This is deliberate and removes the ability of organisations to argue that paying a small fine (typically the level issued by the Information Commissioner’s Office) is cheaper than following with the law. The ICO now has no excuse but to start enforcing the data protection regulations as it should have done under the earlier regime. Parliament will need to hold the ICO to account if it does not enforce the regime properly.”
– Lars Davies, CEO Kalypton
“Most banking and financial services companies are woefully behind” says Davies. He adds: “Actual figures are hard to come by, but the media is beginning to highlight the issue. See, for example ‘Businesses failing to prepare for EU rules on data protection’, The Financial Times, 18 June, 2017.” He also highlights a report in Risk.net, whose article headline and standfirst compare the demands created by GDPR to “boiling the ocean”, claiming that GDPR’s data demands are overwhelming the banks. It adds: “Re-papering of existing contracts could stretch beyond May 2018, forcing dealers to rely on regulatory forbearance.”
Problem and solution
A PwC blog and report talks about “Technology’s role in data protection – the missing link in GDPR transformation” PwC Partners Stewart Room and Peter Almond argue in their downloadable report that GDPR “delivers a fundamental change in how data controllers and data processors handle personal data.” They believe that the necessary protections required to safeguard personal data can no longer be considered as add-ons or as an afterthought within business operations. The two men think the protections now need to be “designed into the very fabric of data processing systems.”
In their opinion this means that banks, financial services organisations and indeed other firms in other sectors will need to re-examine how they “approach the use of technology in their organisations” because “European data protection law has always been concerned with how technology operates.” They add: “Indeed, the first proposals for harmonised pan-European laws were a response to technological developments.” Subsequently, as far back as 1968, the Council of Europe raised concerns about privacy in its deliberations about human rights.
For this reason, they believe that “data protections laws exist because it is believed that, without them, technology will enable or cause data controllers and processors to trample on fundamental rights on freedoms.” In other words, they find that technology is seen as the “principal problem that data protection law is try trying to solve.” As a result of technology being perceived to be the problem, it also has to find the solution to protect personal data. “If entities are storing too much personal data, for example, technology needs to deliver delete, erase, de-duplicate and minimise functionality”, they write.
Room and Almond nevertheless argue that data protection has in practice operated quite differently. Here’s what they have to say about it: “Despite technology being both the problem and the solution, technology systems have not been designed and deployed from the perspective of the requirements of data protection law. This is why we see so much debate over the retention and storage of personal data, so much confusion about the nature and whereabouts of personal data and so many technology-related cyber-security failures.”
Compliance is relatively free compared to the costs of non-compliance, but organisations may still find that they may need to invest in new technologies to enable them to comply with GDPR. Even so, the costs of investing in new technologies are relatively not that big compared to the potential costs of non-compliance. Davies therefore comments: “[Those] potential costs are huge, especially with Brexit. Prior to Brexit, organisations could rely on the overriding principle to enable data to move freely within the EU, even if the regulations were not fully in place, or if there were slight discrepancies in the way in which each member state enforced the rules. Now, the UK will have to implement the GDPR in full and, more importantly, enforce it in full if the EU is to recognise the UK’s regime as equivalent to that of the EU.”
“The Risk.net article mentioned above says that they expect the French and German regulators to police GDPR strictly but UK regulators to show ‘forbearance’”, he says before asking: “Why is the privacy of UK citizens less valuable? In any event, it won’t save UK Financial Institutions unless they are purely domestic operations.”
Payments and GDPR
“Payments involve personal records, and so organisations offering payments services within the EU must comply with the GDPR”, he explains before adding that Blockchain and distributed ledger technology (DLT) based systems “simply cannot comply with GDPR and yet we find that Fintech some organisations speak of implementing permissioned systems, others of implementing some form of encryption to provide pseudonymisation.” The problem is that many of these steps may not help.
“As Recital 26 of GDPR makes clear: ‘Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable person.’ He then points out that Recital 28 goes further and states: “The explicit introduction of “pseudonymisation” in this Regulation is not intended to preclude any other measures of data protection.”
For example, The Register’s article ‘Bitcoin-accepting sites leave cookie trail that crumbles anonymity’ explains why. The author of the article, Richard Chirgwin, writes: “Bitcoin transactions might be anonymous, but on the Internet, its users aren’t – and according to research out of Princeton University, linking the two together is trivial on the modern, much-tracked Internet. In fact, linking a user’s cookies to their Bitcoin transactions is so straightforward, it’s almost surprising it took this long for a paper like this to be published.” So, the pseudonymisation simply is not strong enough.
“Even if a blockchain or DLT-based system could ensure that data is kept private, and it is doubtful whether such a system can do so as they rely on any participant being able to validate any previous transaction in a chain, then every node in a blockchain or DLT must now comply fully with the GDPR, regardless of where that node is based”, comments Davies. He adds: “Any node passing on data that could identify an individual must ensure that every other node in the chain complies with the GDPR.”