Rethinking Compliance for the Protection of Personal Data

Rethinking Compliance for the Protection of Personal Data

Wed 01 Nov 2017

A holiday photo on Instagram, a “like” on Facebook, a PayPal transfer to pay for your Airbnb, or just a bank card payment or an ATM withdrawal: every day, we feed data into greedy and enthusiastic algorithms that are gathering our personal information. A new European regulation adopted in response to this irrational frenzy, the General Data Protection Regulation (GDPR), will come into force in May 2018. It seeks to revise the principles applying to the use, processing, dissemination and storage of personal information regarding citizens of the European Union.

The aim is straightforward: transparency. Nothing can be done unless individuals have expressly given their consent or have been informed about the processing applied.

In very broad terms, this is achieved by:

  • the right to know what personal data an entity holds, and what use is made of it;
  • the right to be informed of how your data is processed, the right to move, and not simply replicate, personal data from one organisation to another (data portability);
  • on request, the right to erase data in the possession of a enterprise which has no further need or use for it (‘the right to be forgotten’);
  • an explicit obligation for an enterprise using personal data to restrict its collection and use of the data to the requirements of the specified processing about which it has informed the natural persons concerned. These obligations, naturally, are extended to the processors with whom the enterprise works;
  • an implicit obligation to ensure the security and confidentiality of these data.

The pre-existed rules, when they existed, differ from the current approach, which no longer relies on a declarative policy but on an obligation of compliance with the regulation. In the event of non-compliance, penalties can be imposed on offenders: 20 million euro or 4% of worldwide turnover (whichever is the higher).

Banks are among the most significant collectors of data in the world. They are continually collecting information about their customers when they open current accounts, and when they use payment methods. They process the data to measure, analyse and monitor their risks; to grant and price loans; to authorise overdrafts; to fight against terrorism financing and money-laundering; to prevent the risk of fraudulent payment methods; and so on. This new regulation will have a substantial impact on them, and will add a new regulatory requirement for customer information and for administering and using data.

The banks have held digitalised information since the 1970s but, until recently, it has been contained in closed systems allowing for a high degree of security and confidentiality. The information has not moved outside the bank, and has sometimes only circulated with difficulty from one subsidiary or department to another. To tackle these problems, successive layers of IT developments piled up, creating stratification and complex processing, and making it difficult to access the original information.

However, for some years now, work has been under way to enrich, process and use the data in a more ordered and effective way, and to ensure increased security in open systems. Undertaken under regulatory constraints, this work was intended to meet the requirements of the Basel Committee (BCBS 239 —Risk Data Aggregation and Reporting Principles), the European Banking Authority (Payment Services Directive 2) or the European Commission (fight against money-laundering).

These projects, launched before the adoption of the GDPR, did not always take account of individual rights and obligations regarding information. They will have to be reviewed in order to build a fluid data path integrating the goals of compliance with this regulation, reporting capacities, portability and erasure at every stage of collection and processing.

This is a major commercial challenge, where customers regard data management as a key aspect when they choose a service provider (see graphic). The chief data officer, a recent position in the banks, looks set for a busy future.

Survey conducted between 3 and 5 May 2017 on a sample of 1’000 people (15 years and over).
Source: Mazars-Elabe

A French version of this article was published in the Agefi Hebdo on 31/08/2017.