In less than 12 month the European Union’s new regulation on Data Protection, GDPR, will become applicable. It will have a significant impact on how we collect, store and manage personal data. In this sponsored post by John Karantzis, founder and CEO of iSignthis Ltd, breaks down the new rules and explains what you need to know.
The application of the European Union’s (EU) General Data Protection Regulation (GDPR) is now less than 12 months away; taking effect from May 2018. We’ve all heard about the prospective fines, that start at €10m minimum and work their way up to 4% of Worldwide Gross Revenues of the Firm.
What is the GDPR?
The GDPR enhances the data protection rights of EU data subjects’ data, whenever the data is processed, stored and used. The GDPR regulates and provides a means for a data subject’s ability to gain access to, and ultimately erasure of their information, which are known as the ‘right to erase’ and the ‘right to be forgotten’.
In general, organisations will need to provide easier access to personal data, with clear and easily understandable information on its processing, use and storage.
Obligations of AML Regulated and Payment Firms
The obligations on Payment Service Providers (PSPs) and AML Obligated Firms are outlined below. Whilst the obligation is firmly on all entities that collect customer data, AML Obligated Firms may benefit by taking some preparations in terms of data security, storage and management that can be handled by specialist providers on behalf of Firms.
Firms are encouraged to seek specialist assistance in terms of identifying and framing the risks, developing suitable procedures and then taking appropriate safeguards.
PII and PCI Data
As almost all Firms have online payment facilities, they will generally not think twice about outsourcing data management with their PSP managing the security and storage of their customers’ payment card industry (PCI) data. This hasn’t always been the case historically, with Firms initially attempting to manage the collection and storage of PCI data. The introduction of the original Payment Services Directive and the subsequent push for compliance with the Payment Card Industry Data Security Standards (PCI DSS) or face fines over the last decade or so, have made outsourcing data management a commercially viable with lowered risk approach.
For those firms that operate outside the EU, understanding the GDPR needs to start with understanding what is PII. In the US, the law provides multiple definitions of PII under a number of Acts, most of which focus on whether the information is associated with an identified person.
By way of contrast, in the EU, there is a single definition of personal data for all applications, which will soon be governed by the GDPR or the still in force GDPR predecessor, the European Commissions’ (EC) Data Protection Directive 95/46/EC. The GDPR includes all information identifiable to a person. Even if the data alone cannot be linked to a specific individual, if it is reasonably possible to use the data in combination with other information available either in the public domain or as exposed as part of a data breach to identify a person, then the data is PII.
Many of the GDPR’s main concepts and principles are similar to those in the current Data Protection Directive. So, if Firms are complying properly with the current regime, then most of their approach to compliance will remain valid under GDPR.
Implied vs Explicit Consent
One of the key impacts for AML Obligated entities will be around when and how they gain consent from their customers for using their personal data. A person’s consent will have to be gained explicitly via affirmative action and there will be stringent requirements for it to be freely given, informed and specific. Individuals will have new rights that will have to be adhered to including a ‘right to be forgotten’ and a ‘right to object’ to their details being used, transferred or held. This is not inconsistent with the Payment Services Directive 2 (PSD2), where customers who are Payment Services Users (PSUs) must actively and explicitly consent to a transaction, including the collection of amount, payment and personal data, and incorporating a Strong Customer Authentication process.
So, the popular approach of assuming implied consent and other forms of subtle, presumed or hidden acceptance to storing and using a customer’s data is no more.
Privacy by Design vs AML Carve Outs
Whilst the GDPR is very focussed on minimising what data is collected and justifying the purpose for which it is collected, it does allow a ‘carve out’ or the PSD2 and 4th Anti Money Laundering Directive to operate as intended. So, a balance will need to be struck, whereby customers will need to be advised that data is being collected from them and about them, and will be analysed and stored for the purpose of complying with the 4AMLD, without a ‘right to be forgotten’.
The data may also be shared without the customer’s explicit knowledge with Financial Intelligence Units (FIUs), law enforcement agencies (LEAs), financial regulators and other entities associated with the processing of payments, identity verification or delivery of the regulated service, provided that the customer explicitly consents to the payment transaction.
Whilst the GDPR has a provision that Customers may withdraw their consent to any use of their PII data at any time, the PSD2 and 4AMLD requirements override that, and require the data to be retained by the PSP, Firms and/or AML Obligated entity.
It must be remembered that these factors will influence how to lawfully retain customer data, if there is an extended need to do so. Firms must be able to distinguish between data that has been collected for compliance purposes versus marketing or service optimisation.
Analysing your business and data flows through your internal processes is vital. Firms should give thought to:
- Categorising the type of data that is being collected. What type is it? (PII, PCI, AML, Marketing etc.)
- How is data collected and used?
- Is data suitably depersonalised where it doesn’t need to be specific?
- How does the above data overlap between mandatory requirements (e.g. AML) and optional (marketing)?
- Who is collecting or using that data?
- Where is that data being collected and used and where does it go? (Who sees it and why?)
- When is it being collected and used?
- Is there any repeated or unnecessary data collected?
- Why is it being collected and used?
- How is it being stored and for how long?
- Which data is not subject to “right to forget” or “right to object” and why?
Data Protection Officer
This is a key role under the GDPR, and organisations should appoint a person to manage this role. It is extremely unlikely that any regulated Firm would be able to avoid this obligation. Typically, it would be anticipated that the role can be fulfilled by the MLRO or Compliance Officer, unless the organisation is very large.
The GDPR has been framed in such a way as to give individuals better control over their personal data. The GDPR has established one single set of data protection rules across the EU, which are not subject to state by state ‘transposition’ and thus local interpretation. Firms are required to “implement appropriate technical and organizational measures” in relation to the nature, scope, context and purposes of their handling and processing of personal data.
Data protection safeguards and ’privacy by design’ must be incorporated into products and services. The data protection safeguards must be appropriate to the degree of risk associated with the data held and might include:
- Tokenisation, pseudonymisation, and/or encryption of PII and PCI data.
- Compliance with PCI DSS and the European Banking Authority’s (EBA’s) ‘Security of Internet Payments’ and the EBA’s Regulatory Technical Standard on Strong Customer Authentication.
- Ensuring the ongoing confidentiality, integrity, availability and resilience of systems.
- Restoring the availability and access to data in a timely manner following a physical or technical incident.
- Disaster recovery processes.
- Introducing a process for regularly testing, assessing, and evaluating the effectiveness of these systems.
- Introducing a breach policy, including management, notification and residual data safeguarding.
Risk, Risk and …more Risk
Risk is to be treated as a continuum, and the GDPR requires Firms to do more. Particularly as their data processing of sensitive PII and financial information collected under MIFID, poses increased prospects of harm or damage. The GDPR classifies risk into a category of either “risk” or “high degree of specific risk.” This distinction is important, as “high degree of specific risk” activities require distinct obligations and prior consultation with the relevant data protection agency. As a result, the identification of the quantum of risk, and the extent to which the “high degree of specific risk” category is identified are significant matters for consideration by the Firm. Adoption of ISO27001 is a good starting frame work for classifying risk and securing against specific threats.
Data Breach obligations
Data breaches are required to be notified to regulatory authorities within 24 hours, and in “high degree of specific risk” situations where PII or PCI data has been exposed, notify the individuals whose data may have been compromised (whether exploited or not). These notifications are in addition to the notifications that are required under PCI DSS obligations, card scheme rules, 4AMLD and PSD2 requirements.
All data must have proportionate levels of security driven by the level of risk that the specific data carries, with PCI and PII data rated highest risk. All Firms have security obligations under the GDPR and can be in breach if they don’t take proactive steps to maintain privacy and security of data.
Watchdogs not Watchpuppies
The regulators now have bite to go along with the bark, with the power to raise fines for a breach of the GDPR of up to the greater of 4% of total annual worldwide turnover or €20,000,000. The watchpuppies are now serious watchdogs.
Firms should consider carrying out data protection impact assessments, adhering to codes of conduct and proactively seeking certification through approved third party mechanisms such as ISO and PCI. Data security can also be entrusted to PCI and ISO certified third parties such as iSignthis, and incorporated into a Firm’s privacy management procedures.
Ultimately, Data Protection Agencies will be looking to see that privacy by design is being taken seriously.
This post is sponsored by iSingthis. Content written and provided by iSingthis. PlanetCompliance only publishes sponsored content from companies whose products and services we think our audience will find valuable or interesting. It has been drafted by John Karantzis, iSignthis Ltd CEO and Managing Director. John is the founder and Managing Director/CEO of Australian Securities Exchange listed iSignthis Ltd (ASX : ISX). John holds qualifications in engineering (University of Western Australia), law, and business (University of Melbourne), with a broad understanding of international regulatory regimes as they relate to payments, money laundering and identity. John has over 20 years’ experience across a number of sectors including payments, online media, AML, defence and secure communications. In particular, John’s experience includes application of technology to assist with remote enhanced due diligence, across a number of FATF legislative model jurisdictions. Areas of relevant expertise include the identity verification requirements for eIDAS, 3AMLD, 4AMLD, JMLSG and CySec. John has previously been Managing Director/CEO of Australian Securities Exchange publicly traded ReelTime Media Ltd (ASX : RMA) and Director/CEO of Data & Commerce Ltd (ASX : PNW).