Presentation at the Digital Finance World 2018 in Frankfurt, Germany
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Presentation at the Digital Finance World 2018 in Frankfurt, Germany
Presentation at the Digital Finance World 2018 in Frankfurt, Germany
So, so yes, I'm head up the privacy lead protection team at, and I have to start by saying that one of the things I've done, probably. So the thing I've done for the past 15 years is working in highly regulated environments, trying to combine. And we've heard this before trying to combine different regulations, as I'm sure you work in digital finance, have to do it on a daily basis. And my first piece of our advice on this, when you're trying to combine different regulations, and now we're facing a situation whereby GDPR is coming, PSD is coming.
And to, to an extent, some of these things who look quite conflicting between each other. So my advice number one advice would be don't treat these things separately. And what I've done for the past 15 years is working with businesses and trying to make it working to work for them. And then try and explain this by talking about transparency. We heard about transparency, but I'm going 20 minutes through what is the concept of transparency? So it's transparency, new concept, no is not. However transparency has become very, very important with the GDPR.
And it's actually together with accountability is the accountability and transparency and actually the most important concept within the new legislation. And they do take a different meaning when we look at directive of PSD two and they get through that. So in your businesses, when you try and implement GDPR and at the same time work together with the PSD two and other financial regulations, first of all, is how do you the first transparency, which is understand in your organization, in your business, what's the definition of personal data and look at the definition of personal data.
And then GDPR is not the same as it used to be before. So, okay. Identifiers, they do narrow under their category. So it's really important to understand what personal data means to you and to your organization. So what other steps to ensure transparency? First of all, is I said before is understanding the data that you hold. And once you've done, that is really trying to understand what is the purpose for processing personal data and what are the legal basis laid basis for data processing. And this is a very thorough exercise that you have to do under the GDPR. It was mention before consent.
It was meant to before legal, legitimate interest contractor basis and all that look establishing the legal ground of processing is key because all the data subject of all the requests that you will receive from data subject, they depend on the legal basis for processing. So for example, take data, portability data portability applies when you are processing personal data for contractual purposes or where data has been given to you and the consent, the same applies to other rights. They're the subject rights.
So identifying why you're processing their data is one of the most important exercises that you can do under the GDPR and me very thought about it. Now it was meant to consent. And I want to come back to that because I feel that there is a lot of talk about consent and legitimate interest. And the main misunderstanding around the GDPR is a legitimate interest is an easy way to do things.
It's not Because if you say I'm going to process this data, because it's my legitimate interest, oh, well, the burden to prove that you're doing the right thing, it's on to you and you have to run a balancing exercise. And sometimes I sit down with businesses and say to them, okay, you're claiming that you're using legitimate interest. Can you prove that to me? Can you prove that your legitimate interest does not override the rights of the data subject? And it's not an easy answer and established a legal basis for processing is also important.
If you want to repurpose data, which you can't a, a, if you plan to do daytime analytics, then you have to be very careful whether you use legitimate interest on content, because there will have an impact on whether you can or what, what safeguards you can put in place for data analytics. So pay a lot of attention to that, because that is absolutely important.
Again, how to ensure transparency, evaluating justify retention periods. Now working in finance, I've worked in Barclays and there are different, there are conflicting priorities, but the GDP is helpful in relation to that. Because If you have a legal obligation to retain the data and you retain it, so justify your retention periods. And this is also important.
If you get a legal sub taxes request, if you can justify your retention periods based on your legal obligations, identify which parties within EDU may have access to personal information and establish legal basis with transfer personal data type EDU transferring personal data is, are very complex issues issue. And you know, that you can rely on consent to do that, that contract arrangement, but be very careful to making sure that, especially if you rely your consent to your transferring data, to a country, there has no adequacy status.
Then you tell the data subject that this is happening and what are the implication on them. If you transfer data to a country which has no adequacy. And of course it was mentioned before, pay attention to the previous shield, then the debate about that. So as I said to before, provide guarantees to individual rights, and this is a key thing about the GDPR. Now the GDPR is about putting data subject at the half to whatever you do, and there's all many, or you can, you know, talk around it. But the GDPR is about data subject, and it's about rights. And it's about you.
It's a business to try and turn that into a fantastic opportunity to run a customer focused customer centered business, which in turn can be a fantastic marketing opportunity for you. And as I said before, the reason why the lawful brand are processing is so important is because all these days, all this pride depend on them. And what is the lawful basis that you've chosen? You've chosen for you to process the data. So GDPR security, the myth GDPR is about security, but it's not a security legislation. And this is always, I say, there is no fixed solution.
GDPR is about understanding the law, understanding your risks, and apply the legislation to your business encryption for data confidentiality and integrity. When you can secure connections, increase creating segregation and duty security by design. These are important steps to in the insurance transparency, but the most important thing is risk. The GDPR is not one size fits. Our policy is not. The first thing about GDPR is understanding the risks to your individual organization. And always if it was mentioned before, but it's not a checklist, it's not a compliance checklist.
It's really an exercise that applies to your own business Quickly from transparency, the most important principle of the GDPR, accountability, whatever you do, you don't have to just comply with it, but have to demonstrate that you comply with it. There is no, we don't know what compliance is and don't trust solutions to say it would make compliant. We don't know what compliant is. We don't know because the legislation hasn't been tested yet because we have gray areas.
Look, for example, the interaction with PSD two, but we have three areas, three areas within the legislation. So article five in article 24, very important in the legislation, make sure that you demonstrate that you take any reasonable step to comply with the legislation and record it. And if you do get a base protection authority, come into you and say, oh, can I see your journey? You'll have to show them your risk based approach and every single step that you've taken to meet the requirements of the legislation. And as you can say from this, it's not a one size fit or policy.
It really depends on the, your organization. What, So what does it mean to be accountable, accountability, leader, guidance within the legislation and what we know, and it has to be risk based. What we know is that what the measures that you decide to implement depend on the nature of your organization. So recite of 70 followed defines the risks.
Of course, the risk higher. If you process special categories of data. And now we come to complication and come to in a bit, which is shortly, which is what it means, high risk. And as you know, the PSD two introduces the concept of sensitive data, which makes the relationship between PSD two and GDP are bit complex, but high risk data, then come first. So if you process high risk data, they have to get the priority.
And then, and you start from there. So you look into the data that you process, you understand it, try to understand your risks, so high risk data, and also trying to match this with your all organization. So for example, the likelihood of, of security breaches happen, or what are the most complex data processing that you have, 76, they find the race must be assessed in an objective manner to decide whether they're law or not. The reason why we say no, this to you is because this is the background to the implementation of GDPR.
And there is no, there's no point in starting as a compliance checklist, but really before you implement anything, it's really understand what the GDPR means to you into your own organization. These are the list of policies and procedures that you need to be put in place. And it was mentioned before about previous notices that you need to serve at the right time, you the right language. So How Did you go about accountability in GDPR, put in place your privacy governance structure, know your data, create information notices and establish your legal ground processing data.
As we were saying before and implement your technical and organization measures. Now, you know, GDPR, doesn't say much about security. It just says implement technical and organizational measures.
So again, it's an assessment that you have to make based on your own, on your own organization. And the key thing, privacy by design really don't estimate that particularly in digital finance privacy by design is absolutely crucial. And if you have a moment go onto the French authority data, the French data protection authority, the guidance that've published or privacy by design and privacy impact assessment is absolutely fantastic.
I'm gonna risk through this just to mention quickly, just to mention very quickly, we've talked about the consent, what is due read consent, but I just wanted to go to PSD two and GDPR, it's a topic. We fascinated me very much. I find that on the view, but I find that there are areas which are very gray in relation to that. And I find that the information commissioner case be very helpful. This say we will work together with, with the financial regulator to try and find a way to work together in the, in time. We just have to navigate for this. And that's why I'm selling to, to people.
It's really, let's try navigate this. Now, PSD two enables data profitability enables banks to comply with the data profitability requirement, which you know what it is. It's basically says you need to be able to, you need to give customers the possibility to port their data in a readable format and appears the two enable that. So enables banks to comply with that. But that face that combination between this two legislation. And of course, being obliged to give that access to TPPs is of course poses a risk to security.
But there is one question, and this is number one, there's three main with interaction between the two legislations. And I'm trying to help organizations navigate this. The first is letter breaches.
Now, what is the letter controller is the back well when the bank keeps to a third party for provider and the third party provider becomes the controller. So there is an issue there not being a contract in place between the two of both having to implement technical and security measures to deal with security and the data breaches. And this is, but the elephant in group about the interaction between the two pieces, the legislation is consent. Now my view Is a three step process. Customer sees an option to share later.
We have third party providers for a specific purpose and up providers who serve customer a fair processing, notice a consent required also for collateral activities. I'm seeing third party providers wanted, for example, to gather consents, to access that customer's back account. I be careful that doesn't mean that they can market their client if they want to do that. They have to, to collect consent separately and customers then directly to their data to provider, for example, the bank to not go on their provide consent.
So that's how I see the process happening, but now what has the bank have to do in relation to the third party providers does the bank have to make sure that the TPP cannot access information beyond what they should be accessing? So does the bank have particular in place, some sort of reduction so that the TPP doesn't access all the information beyond what they are legitimately supposed to, to, to access?
So this is why, you know, navigating through both regulations is complex, quickly implement cyber security, only retain personal data for as long as necessary and develop mechanism to implement with Laurel or consent by the customer, Implement a mechanism to enable you to deal with all subject, right? I, they report one avoid processing data about other individuals that may be mixed up into customers data. So for example, there's a secret of a payment from the customer that is not information that a DP should be able to see.
It's not them avoid transferring data to other organizations, impossible and avoid transferring data, Saudi DEA, or make arrangements and avoid automated profiling. Unless people have agreed to it, be careful to automated profiling because even studentized data's personal data and the GDPR. So if you do work on the, on the tokenized data, be careful to what the GDPR says about to. So just in that, in a nutshell, the relationship between PSD two and GDP is not an easy one.
It requires really deep understanding of how the two interact, a deep understanding of your organization and risk management approach, particularly in relation to the big evidence, which is consent, which is definition of sensitive data and the PSD two, which is data breaches and responsi where the responsibilities lie, and also in relation to the data describing which, you know, it's a complex one because it's now been reintroduced at least as a last resort for, for backs.
I've gonna be around if you may ask me questions now or later, but that is a very fascinating topic because working across different regulations not only is possible under GDPR, but it really requires handling all this legislation to get and not insiders. Thank you. Thank.