Long reads

The fintech sentiment: Data Privacy Day 2023 and the policies protecting financial services

Madhvi Mavadiya

Madhvi Mavadiya

Head of Content, Finextra

Data Privacy Day – also referred to as Data Protection Day in Europe, is an international event that occurs every year on 28th January and promotes privacy best practices. This day also marks the anniversary of the Council of Europe’s Convention 108 in 1981, which was the first legally binding international instrument in the data protection field.

According to the Council of Europe: “Under this Convention, the parties are required to take the necessary steps in their domestic legislation to apply the principles it lays down in order to ensure respect in their territory for the fundamental human rights of all individuals with regard to processing of personal data.”

Why is this year different? In 2023, we have reached a tipping point where data privacy policy reform is necessary and non-negotiable. As consumer attitudes shift and policies are implemented to ensure data is used in a controlled and secure manner, these changes can have a significant impact on fintech firms, financial institutions and all members of the ecosystem that rely on data, financial or otherwise.

Following Data Privacy Day, we’ve compiled the key observations and opinions of experts across the fintech industry to take the pulse of the sector in our latest Fintech Sentiment Series article.

Data privacy and protection, a global effort

In Baker McKenzie’s view, data transfer continues to be a talking point within the European Union. Alongside this, organisations are still enduring the implications of the Schrems II judgement and grappling with the EU-US Data Privacy Framework.

Further afield, “there is a proliferation of new privacy laws and amendments to existing privacy laws to keep up with. These range from new laws (or amendments to existing laws) which have now come into force, laws or amendments that are expected to come into force this year, as well as discussions or proposals for future reforms.

“In particular, there are developments to be aware of in Australia, Japan, Taiwan, Vietnam, India, Qatar, UAE, Saudi Arabia, Türkiye, Canada, Argentina, Vietnam, Switzerland, several US states and the UK. Almost half of these are G20 economies so we except such changes will be important given the inextricable link between information driven trade ecosystems,” the Baker McKenzie report reads.

Data privacy and protection trends

Baker McKenzie outlines the status of each data policy that could make an impact to the financial services industry in 2023.

UK Data Protection Reform

Although the Data Protection and Digital Information Bill, otherwise known as the DPDI Bill, was published in July 2022, it has not yet progressed through the legislative process. GDPR in the UK will not be replaced, but there will be a shift away from viewing regulation as a box ticking exercise in 2023.

UK Addendum and International Data Transfer Agreement

Since 21 September 2022, new contracts that involve personal data transfer to areas not under UK GDPR, the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses is now used. Existing contracts approved under the Data Protection Directive (Directive SCCs), will be valid under UK GDPR until 21 March 2024, provided operations and the contract remain unchanged and data transfer is secure.

ICO Guidance and Transfer Risk Assessment Tool

The UK Information Commissioner’s Office (ICO) published new guidance on data transfers in November 2022, and provided a new transfer risk assessment (TRA) tool. Companies can also choose to follow the European Data Protection Board’s (EDPB) advice.

Future UK Adequacy Regulations

The UK Government will be issuing new post-Brexit adequacy regulations and will be conducting adequacy assessments with Australia, Colombia, the Dubai International Financial Centre, Singapore, the US, and South Korea. In the future, this group will include India, Brazil, Indonesia, and Kenya. In addition to this, the UK’s adequacy regulations will also cover credit information processed by controllers.

ICO25 and future regulatory approach

The ICO25 will aim to regulate and review the impact of predatory marketing calls, the use of algorithms within the benefits system, the use of AI software in recruitment for which neurodiverse or ethnic people weren’t considered and tested, and support of children’s privacy.

Colum Lyons, CEO and founder of ID-Pal, shares his view on UK policy and regulation. “Data Protection Day is an important reminder of the role we all play in data privacy and protection as a global cause. In 2020, many industries were forced to move their processes fully online. For example, in the UK, temporary Covid-adjusted guidance on how to conduct Right to Work checks was introduced for employers, and now the ability to perform checks digitally is permanent.

“The digitalisation of manual processes improves the user experience and offers enhanced security when processing and storing personal documents and data. Individuals can assess data is being handled in a compliant, secure way. Something that is impossible to confirm with a manual method.

“It’s crucial businesses are aware of their duty to protect all customer, and employee, personal information. Organisations can reduce risk and vulnerability to fraud using digital identity verification to securely verify identity and address documents. They should also question vendors on what their approach is to data protection and privacy. How do they ensure the highest standards are in place across their framework, so that your business is not put at risk? By integrating these digital solutions that also have data protection at their core, companies can overcome their vulnerabilities and develop trust with customers from day one.”

Canadian Artificial Intelligence and Data Act (AIDA)

While there is no AI specific legislation in Canada, AIDA “would require organisations that design, develop and use AI systems to identify, assess, manage, and mitigate risks and biases associated with high-impact AI systems.” With this regulation, there would be new criminal prohibitions and penalties for unlawfully obtained data being used for AI development, where careless deployment of AI systems poses serious harm, and where there is fraudulent intent to cause substantial financial loss through the deployment of the AI system.

According to a new survey from Interac published found that nearly eight in 10 Canadians (76%) are worried about protecting their online privacy, and seven in 10 (74%) want more control over their online information. Further to this, sign-in – the act of verifying your identity to access online services or activities – is what Interac views as a critical moment for organisations to build trust with their customers by giving them more control over their personal information.

53% believe organisations are responsible for protecting their personal information, and 69% would hold them accountable in the event of a data breach. Despite this, Canadians continue to sign in through services in which they report low levels of trust and confidence. For example, 58% say they use their social media accounts to log in to other online services, yet only 11% trust these accounts to store their personal information. 

Colette Stewart, senior legal counsel and privacy lead at Interac, says that “when customers sign in to an online service, they are putting their trust in that provider to keep their data safe. As Canadians hold organizations accountable for the use and storage of data, entities of all sizes have an imperative to provide clear guidelines on how personal information will be used and to enable increased control for users when it comes to managing their privacy online.”

Hong Kong cybersecurity legislation

The Hong Kong Government aims to strengthen cybersecurity of critical information infrastructure (CII) by imposing network security obligations on operators of CII. Examples of CII include water, electricity, coal supply, communication networks, transport services and financial institutions.

India Digital Personal Data Protection Bill 2022

In November 2022, the Ministry of Electronics and Information Technology of India introduced a draft of the Digital Personal Data Protection Bill 2022 (DPDP Bill). This follows a similar regulation that was withdrawn after pushback from stakeholders.  

Preekshit Gupta, vice president - APAC & MEA, Bureau.id believes that Data Privacy Day “is a reminder that data privacy is a fundamental right, and companies must take all necessary steps to ensure the safety of customers' data. With the emergence and growing usage of new-age technologies like artificial intelligence and machine learning, organisations can use them to detect and prevent data breaches, identify fraudulent behavior and protect user privacy. Machine learning algorithms can process large volumes of data to identify potential threats and protect user data.”

On Indian policy, he adds that the “recent draft of the data protection laws released by the government also placed significant penalties for any company breaching the regulations. Data security is the cornerstone of online financial transactions, and the rise of cybercrime makes it a priority for companies across sectors, especially digital lending and e-commerce, to ensure that their customers’ personal information remains safe. The Reserve Bank of India has showcased concerns around the digital lending space and has also issued clarifications on digital lending, reiterating the need to protect borrowers' data lenders.

“While traditional data protection laws such as the Information Technology Act and the Personal Data Protection Bill provide a basic framework for data privacy, it is also essential that companies also invest heavily in data security and data privacy infrastructure to safeguard their customers.”

Mexican Data Protection Regulator

In 2022, the INAI published recommendations “to exercise extreme caution when making purchases online. These recommendations focus on the precautions individuals can take to avoid becoming a victim of cybercrime when carrying out an online transaction.”

Peruvian Data Protection Authority

The PDPA has conducted important actions aimed at ensuring the protection of personal data, including the issuance of 173 resolutions aimed at safeguarding data subjects and supervising 317 public and private entities, most of them acting in the financial and telecommunications sectors.

Qatar 2021 Regulations

The Qatar Financial Centre (QFC) has issued new data protection rules known as the 2021 Regulations which came into effect on 21 May 2022. The new regulations will establish a new Data Protection Office led by a Data Protection Commissioner, introducing purpose specification, data minimisation, new rights and additional transparency for controllers.

DIFC Data Protection Law

On 8 March 2022, the Dubai International Financial Centre (DIFC) Authority enacted the DIFC Laws Amendment Law, DIFC Law No. 2 of 2022, which includes amendments to clarify the process for individuals to seek judicial redress, increasing accountability for controllers and processors when handling requests for data access. This also grants more authority to the data regulator Commissioner of Data Protection and will introduce a $75,000 penalty.

Hamad Sayah Al Mazrouei, CEO of ADGM Registration Authority, posits that the “ADGM acknowledges the fundamental right of data privacy and protection and emphasises it not just through words but through mandates and policies for the local and global community-based in the international financial centre.

“As an authority, we take our responsibility seriously and are continuously addressing the emerging challenges from the rapid acceleration of the digital ecosystem that we are all part of. ADGM’s Registration Authority is the sponsor of ADGM’s overall data protection frameworks that is a part of ADGM’s legal frameworks since its establishment, a reflection of the importance we have placed on data protection and privacy since the beginning.”

Sweden Enforcement Action: Transparency

In 2022, the Swedish Authority for Privacy Protection issued a decision where a fintech company would be fined approximately EUR 720,000 if it was unable to adequately provide information to its customers for one of its financial services.

Baker McKenzie summarises all data privacy and protection developments and trends here.

Following Data Privacy Day, we’ve compiled the key observations and opinions of experts across the fintech industry to take the pulse of the sector in our latest Fintech Sentiment Series article.

Top tips for leveraging customer data

According to Tim Bowes, Dufrain’s Associate Director who heads up the Data Strategy, Architecture and Management competency, has provided Finextra with three top tips to support businesses leverage customer data, whilst also respecting the consumer’s right to privacy.

  1. Build trust by taking customer preferences seriously and listening to what consumers want, in line with regulation such as the EU GDPR;
  2. Manage and take advantage of vast amounts of data while ensuring privacy;
  3. Harness trust to retain customers.

Bowes advises organisations to use Data Privacy Data as a “valuable chance for businesses to reflect upon the current state of data governance in their organisation, while acting as a prompt to identify any opportunities for improvement. In general, the more transparent a business is on the usage of consumer data, the more likely its customers will be to trust that business and opt-in to share their information. This means responding appropriately to a customer’s marketing preferences and ensuring all data is stored in accordance with GDPR.  Making data privacy a priority is the only way businesses can truly turn customer data into profitable insights that drive growth and innovation.”

More on Data Privacy day…

Rebecca Krauthamer, co-founder and CPO, QuSecure: “Ahead of Data Privacy Day January 28, it is advisable that federal agencies, commercial organizations and other infrastructure providers begin to immediately assess potential vulnerabilities in their current encryption and cybersecurity practices and start planning for post-quantum encryption. Some believe that building a quantum computer powerful enough to break encryption is a decade or more away. Others believe it’s already too late. While quantum computers powerful enough to crack RSA are not yet available, hackers are seizing and storing sensitive data knowing they will be able to use quantum technology to access it soon. We know that well-funded hacking organizations and governments are constantly working on novel ways to accelerate quantum development including advance error correction, combinations of individual quantum processors, and advanced physical architectures to become the first to wield the power of quantum decryption. We are most likely closer to more quantum power and the subsequent associated threats to standard encryption than expected. Every day we don’t convert our security posture to a quantum-safe one, there’s no recovering from the damage that will be done.”

Scott Harkey, EVP, financial services and payments, Endava: “The global digital payments market continues to expand rapidly as we edge closer to a cashless society and we’re seeing payments become increasingly embedded in the products and services we consume. Technology is fuelling the digital revolution in e-commerce but it’s people – and their sensitive data – which lie at the heart of this innovation. Personal data is the golden asset which companies are increasingly looking to leverage, from apps powered by this data to embedded financial transactions using saved customer information. Identity is key to building meaningful experiences, but this relies heavily on trust. Customers are more aware of their data than ever and will think twice about sharing it if they feel it won’t be protected. Organizations need to put practices in place to secure consumer data from the very beginning of collection. Tokenization can play a huge role here. While originally used for Personally Identifiable Information (PII), any kind of data can be tokenized, and organizations need to think about how they start using these tools at data capture and how they communicate to customers that their data is secure. With innovation becoming increasingly dependent on personal data, that information must be protected at all costs. Investing in innovative tools that make built-in regulation features a priority will win the day and the public trust.”

Astrid Gobardhan, data protection officer, VFS Global: “Recent research suggests that over 2.5 quintillion bytes of storable information is developed every day — with an average digital user producing some 1.7MB of data each second. In many cases, this data is highly sensitive and provides a snapshot into our day-to-day lives. This makes it a prime commodity for organisations, which can use it for targeted advertising and the mapping of consumer behaviour, as well as nefarious sources, who make seek to appropriate it for their illegal ends. It is therefore essential that such data is protected, and guarded from potential misuse, in the course of its storage and use. At VFS Global, a company that handles millions of visa applications each year, we believe employing the highest possible standard of data protection is not just the right thing to do – it’s imperative to our business model. We are trusted with highly sensitive information, including fingerprints and other biometric data, which could cause significant harm to the individual if it fell into the wrong hands. So, ensuring we have the most robust practices, and continued confidence of our customers as ‘safe custodians’ of their data, is crucial. Data Privacy Day therefore serves as an annual reminder – for both businesses and consumers alike – to re-evaluate their relationship with data. For the former, it provides an opportunity to reflect on operational practices, and to revise processes, upwards, in line with new legislation. While, for the latter, it acts as a prompt to check the scale and level of personal information they are sharing with the world today. At a personal level, I would encourage readers to look, in particular, at the privacy policies of applications that they use on their laptops and phones, to ensure that the have robust and adopt zero-knowledge frameworks, so that companies cannot access or decrypt any data that is shared. They should also try to do periodic check-ins across the ‘permission manager’ of their device, so that they are not sharing more information than is required for the functionality of an application."

Carl D’Halluin, CTO, Datadobi: “A staggering amount of unstructured data has been and continues to be created. In response, a variety of innovative new tools and techniques have been developed so that IT professionals can better get their arms around it. Savvy IT professionals know that effective and efficient management of unstructured data is critical in order to maximize revenue potential, control costs, and minimize risk across today's heterogeneous, hybrid-cloud environments. However, savvy IT professionals also know this can be easier said than done, without the right unstructured data management solution(s) in place. And, on Data Privacy Day we are reminded that data privacy is among the many business-critical objectives being faced by those trying to rein-in their unstructured data. The ideal unstructured data management platform is one that enables companies to assess, organize, and act on their data, regardless of the platform or cloud environment in which it is being stored. From the second it is installed, users should be able to garner insights into their unstructured data. From there, users should be able to quickly and easily organize the data in a way that makes sense and to enable them to achieve their highest priorities, whether it is controlling costs, CO2, or risk – or ensuring end-to-end data privacy.”

Don Boxley, CEO and co-founder, DH2i: “The perpetual concern around data privacy and protection has led to an abundance of new and increasingly stringent regulations around the world. According to the United Nations Conference on Trade and Development (UNCTAD), 71% of countries now have data protection and privacy legislation, with another 9% having draft legislation. This increased scrutiny makes perfect sense. Data is being created and flowing not just from our business endeavors, but countless personal interactions we make every day - whether we are hosting an online conference, making an online purchase, or using a third party for ride-hailing, food delivery, or package transport. Today, as organizations endeavor to protect data – their own as well as their customers’ - many still face the hurdle of trying to do so with outdated technology that was simply not designed for the way we work and live today. Most notably, many organizations are relying on virtual private networks (VPNs) for network access and security. Unfortunately, both external and internal bad actors are now exploiting VPN’s inherent vulnerabilities. However, there is light at the end of the tunnel. Forward looking IT organizations have discovered the answer to the VPN dilemma. It is an innovative and highly reliable approach to networking connectivity – the Software Defined Perimeter (SDP). This approach enables organizations to build a secure software-defined perimeter and use Zero Trust Network Access (ZTNA) tunnels to seamlessly connect all applications, servers, IoT devices, and users behind any symmetric network address translation (NAT) to any full cone NAT: without having to reconfigure networks or set up complicated and problematic VPNs. With SDP, organizations can ensure safe, fast and easy network and data access; while ensuring they adhere to internal governance and external regulations compliance mandates.”

Steve Santamaria, CEO, Folio Photonics: “It is no secret that data is at the center of everything you do. Whether you are a business, a nonprofit, an educational institution, a government agency, or the military, it is vital to your everyday operations. It is therefore critical that the appropriate person(s) in your organization have access to the data they need anytime, anywhere, and under any conditions. However, it is of the equal importance that you keep it from falling in the wrong hands. Therefore, when managing current and archival data, a top concern must be data security and durability, not just today but for decades upon decades into the future. The ideal data storage solution must offer encryption and WORM (write-once, read-many) capabilities. It must require little power and minimal climate control. It should be impervious to EMPs, salt water, high temps, and altitudes. And, all archive solutions must have 100+ years of media life and be infinitely backward compatible, while still delivering a competitive TCO. But most importantly, the data storage must have the ability to be air-gapped as this is truly the only way to prevent unauthorized digital access.”

Surya Varanasi, CTO, Nexsan: “Digital technology has revolutionized virtually every aspect of our lives. Work, education, shopping, entertainment, and travel are just a handful of the areas that have been transformed. Consequently, today, our data is like gravity – it's everywhere. On Data Privacy Day, we are reminded of this fact, and the need to ensure our data’s safety and security. Fortunately, there are laws and regulations that help to take some of the burden off of our shoulders; such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Health Insurance Portability and Accountability Act (HIPAA). However, some of the responsibility remains on our shoulders as well as those of the data management professionals we rely upon. Today, it would be extremely challenging to find an organization (or an individual for that matter) that isn’t backing up their data. Unfortunately however, today that just isn’t enough. Cyber criminals have become increasingly aggressive and sophisticated, along with their ransomware and other malware. And now, the threat isn’t just that they will hold your data until payment, cyber criminals are now threatening to make personal and confidential data public, if not paid. It is therefore critical that cyber hygiene must include protecting backed up data by making it immutable and by eliminating any way that data can be deleted or corrupted. This can be accomplished with an advanced Unbreakable Backup solution, which creates an immutable, object-locked format, and then takes it a step further by storing the admin keys in another location entirely for added protection. With an Unbreakable Backup solution that encompasses these capabilities, users can ease their worry about the protection and privacy of their data, and instead focus their expertise on activities that more directly impact the organization’s bottom-line objectives.”

Andrew Russell, chief revenue officer, Nyriad:

“Data Privacy Day serves as a great reminder of the value and power of data. In addition to your people, data is without question the most strategic asset of virtually any organization. Data and the ability to fully leverage, manage, store, share, and protect it, enables organizations to be successful across virtually every facet – from competitive advantage, to innovation, the employee experience, and customer satisfaction, to legal and regulations compliance competency. Consequently, savvy data management professionals recognize that while a storage solution that is able to deliver unprecedented performance, resiliency, and efficiency with a low total cost of ownership is priority number one to fully optimize data and intelligence for business success; they likewise need to ensure they have the ability to protect against, detect, and restore data and operations in the event of a successful cyber-attack in order to protect their data, for business survival.”

Brian Dunagan, vice president of engineering, Retrospect: “Every organization, regardless of size, faces the real possibility that they could be the next victim of a cyberattack. That is because today’s ransomware, which is easier than ever for even the novice cybercriminal to obtain via ransomware as a service (RaaS), strikes repeatedly and randomly without even knowing whose system it is attacking. Ransomware now simply searches for that one crack, that one vulnerability, that will allow it entry to your network. Once inside it can lock-down, delete, and/or abscond with your data and demand payment should you wish to keep your data private and/or have it returned. As an IT professional, it is therefore critical that beyond protection, steps be taken to detect ransomware as early as possible to stop the threat and ensure their ability to remediate and recover. A backup solution that includes anomaly detection to identify changes in an environment that warrants the attention of IT is a must. In order to ensure its benefit,, users must be able to tailor the backup solution’s anomaly detection to their business’s specific systems and workflows; with capabilities such as customizable filtering and thresholds for each of their backup policies. And, those anomalies must be immediately reported to management, as well as aggregated for future ML/analyzing purposes.”

Comments: (0)