United Kingdom: Data Protection Decreed
Product Manager, Infosys Finacle
The UK has long been a leader when it comes to financial technology. Surveys from different consulting firms continue to reaffirm London’s top spot as the FinTech capital of the world, alongside Singapore.
2017 was a record year for UK tech investment. The trend seems to be going stronger in 2018.
UK’s growing challenger bank Revolut has recently raised $250 million (£179 million) in Series C funding and is now worth $1.7 billion (£1.2 billion). FinTechs based out of London are active in almost every sector: digital only banking, P2P payment, open API, blockchain, risk management, wealth management, and AI, not to forget Google’s DeepMind is based in London too. Not just this, Government in the U.K. has also released its FinTech Sector Strategy, setting out plans for preserving and increasing the UK’s presence and influence in the sector globally.
Apart from all the progressive action, one major initiative that has captured everyone’s attention and channeled their efforts for compliance is the General Data Protection Regulation (GDPR). GDPR came into force in the EU and UK (despite Brexit) on 25 May 2018. In this short article we take a look at the regulatory mandate, explore its impacts on innovation and digitalization, and provide our recommendations.
The GDPR is a new law to give individuals, such as customers and employees, increased rights and transparency over their personal information. The law gives individuals the ability to exercise their rights such as correcting or accessing their data. The GDPR applies to organizations located within the EU and the UK, and also applies to organizations located outside of the EU that process the personal data of EU residents as part of their business transactions. Of course, the GDPR will not be the only law about data protection in the UK. The UK Data Protection Act 2018 is also on the anvil, which will further bolster the purpose of GDPR.
The GDPR is by far the strictest data protection act in the world. It has very detailed policies about personal rights. Organizations that fail to meet the requirements such as providing the desired proof of proper handling of sensitive data are liable for penalties as high as £17 Million or 4% of global turnover from the previous financial year,whichever is higher.
The GDPR includes a set of exemptions to balance privacy and other rights such as the right to conduct medical research based on personal data. It also defines conditions to implement the clause “right to be forgotten”. Other exemptions include policies for small-medium enterprise (enterprises with employee strength 250 or less than 250), and locally defined rules from individual countries. Banks and FinTechs need to study these exemptions carefully to optimize the effort spent.
1. User consent is critical to process data
After May 25, 2018, organizations in the EU are required to obtain clear, unambiguous and freely given consent from users for each data-processing activity (e.g., behavioral targeting and remarketing). They are required to tell users exactly what their data will be used for, list the companies they’ll share the data with, and state how long they’ll keep the data.
Banks and FinTechs heavily using customer data must obtain user consent, and ensure and provide pro-active privacy notice. Meanwhile, the GDPR also defines other alternatives for exceptional scenarios in the event that an organization faces challenges in securing consent from individuals. For instance, organizations could consider relying on legitimate interests (GDPR Article 6.1(f )). However, these shouldn’t be viewed as easy alternatives. They merit careful consideration as banks walk the tightrope between their interests and the privacy rights and freedom of individuals.
2. The Right to be Forgotten – the most crucial clause of GDPR
“The right to be forgotten” is probably one of the most important concepts introduced by the GDPR. Not only new requirements for gaining consent for data capture and processing, the GDPR makes it abundantly clear that consent can be withdrawn and revoked at any given point in time. The responsibility of deleting and removing data ‘without undue delay’ or specifically within a month unless specific circumstances apply, lies on the shoulders of the data controller. It means banks and FinTechs need a betterway to store and delete customer data when required.
Where personal data has been shared with other third parties by the data controller, it makes the situation even more challenging. The GDPR states that it is the data controller’s responsibility to take ‘all reasonable steps’ to inform other outlets of the request for erasure and ensure they comply with deletion or removal. Implementation could potentially be a challenge and a lot of questions remain unanswered from both legal and technical perspectives.
3. Impacts on FinTech innovation
Data protection and customer privacy are always challenged by new technologies. Digital, social, internet of things, cloud, big data, machine learning, and blockchain bring new challenges to protect data, spanning the consent mechanism, any conflicts or grey areas regarding data processor’s responsibilities, and the boundaries of personal data. Below we summarize the GDPR’s impacts on Cloud, AI and Blockchain.
Prior to the GDPR, the exact responsibility of a cloud service provider was largely determined by common sense and business contracts. Now the GDPR has made it clear that data controller and processor, both need to share the responsibility for data protection. As per the GDPR, clouds service provider (as a data processor) should take necessary measures to be GDPR compliant. The current operating model may conflict with the GDPR (e.g. the right to be forgotten). The GDPR has specific details of different tasks owned by a data processor (that is, a cloud service provider or a FinTech) and a data owner (that is, a bank). For instance, data processors should not outsource any activity to another data processor without the consent of the data owner.
Overall, the GDPR will have major impacts on cloud ecosystem. The GDPR requests cloud service providers to re-think their data processing mechanisms, including breaching response and coordination, processing of personal data outside the European Economic Area, and data portability for the controller.
A famous tweet by Prof. Pedro Domingos surfaced some time back: “Starting May 25, the European Union will require algorithms to explain their output making deep learning illegal.” Though machine learning has its own challenges in explaining how algorithms get to the result, the tweet by Prof. Pedro exaggerates the impact of the GDPR on AI. GDPR does not explicitly request data processor to explain their automated decision about data processing. Nevertheless, banks and FinTechs should continue their efforts to improve the transparency of AI algorithms, and must ensure notifying users about the basic rules behind the decisions about customer data.
The blockchain itself is a distributed database based on consensus algorithms. It is a revolutionary approach for not only operating models but also for data protection. However, the GDPR is still fundamentally a centralized mechanism for data protection. Blockchain is a decentralized data processing model, which requires a more holistic approach towards compliance with GDPR. Most of the data in blockchain, including key transaction data, are personal data. Miners and node owners on blockchain are considered data processors. Thus, they need to comply with GDPR requirements. For example, blockchain may be requested to execute “the right to be forgotten” but technically this is impossible. Data processor simply cannot (even they want to) “erase” data from blockchain given the nature of blockchain architecture. Banks and FinTechs should keep an eye on relevant discussions to exempt blockchain from specific GDPR policies.
Banks are actively preparing for the GDPR. For instance, HSBC has updated its privacy notice to customers. The notice explicitly says that GDPR does not change the way the bank’s customers use personal information, and that their commitment to looking after customer data stays the same. Barclays has also taken a similar step.
On the other side, there are still numerous challenges to implement the GDPR effectively. Bank CIOs should carefully evaluate the impact of the GDPR on its existing data protection policy, in particular, in the area of digitalization, cloud, big data and blockchain initiatives. The changes brought about by the GDPR have just begun. Banks should keep their eyes and ears open, and be prepared for a long journey to implement the GDPR.