Reducing the Burden of GDPR Compliance Cost
When we began designing our now patented Digital Identity technology — Electronic DNA (eDNA™) — one of the first discussions we had was how to build a technology that created a digital identity, while preserving individual’s privacy. Our principles were very clear and have not changed: our technology doesn’t store or disclose information that could compromise an individual’s identity. That initial decision has allowed us to work with financial institutions and FinTech organizations across the world. It has also allowed us to operate in countries where regulatory frameworks see privacy as an individual’s right.
The upcoming General Data Protection Regulation (GDPR) that comes into effect May 25th 2018, regulates the protection of European Union (EU) citizen data. Organizations that deal with EU individual’s data must be compliant by the deadline or face significant fines. GDPR applies to any company in the world that has “significant business” (regulations always have ambiguous enough language to open interpretation and confusion) with individuals or countries that are part of the EU. Moreover, we expect GDPR to lead other countries and regions to adopt data privacy regulation.
Our focus on the creation and maintenance of digital identities is to serve organizations in evaluating their risk. Our focus isn’t delivering identity portability and ownership to consumers, many other solutions are aiming to solve this problem.
In the world of GDPR, we are considered a Data Processor, whereas our clients are considered Data Controllers (you can read more about IdentityMind and GDPR in here). Our platform basically “processes” an individual’s data for the purposes of risk evaluation under the instruction of the “controllers” (our clients). We each have responsibilities in safe-guarding the privacy of the data and controllers need to ensure that the individual has provided explicit consent to use their data for whatever purpose the data controller has acquired such data.
One of the most important aspects of the data processor regulations is the one stating that the processed data can’t be use for purposes other than the controller’s processing intent. Once again this is in accordance to IdentityMind’s basic principles when dealing with individual’s data. We can only use the data for the purposes of risk evaluation and the automation of compliance operations. Many companies that offer “risk mitigation” services store and use the data for marketing purposes or to provide analytics that would in turn allow the processors (or other clients) to advance their business. This would be in clear violation of what we stand for.
These are examples of requests we have gotten over the years: “Can we get insights into the demographics of the user base to understand how to better sell our services?” or “can we highlight what type of users spend more?”, etc. Our data is architected in such a way that it is impossible to provide this type of insight, and this is by design. We knew early on that if we catered to these use cases we would be in a slippery slope that would lead us in a different path. In the past we have respectfully declined to offer these services to our clients, and we have lost some based on this principle.
Most literature, outside instilling the fear of regulation, is highlighting the right of the individual to have a controller erase their data upon request. This type of request percolates all the way through the processors as well. However, as always, one regulation’s requirements may conflict with others. For example, in the world of anti money laundering regulations, there are specific requirements about data storage, especially if related to a suspicious activity or actor. In these cases, controllers have the option and right to deny such request on the premise that the data is used for other regulations.
This conflict between regulations will be the subject of many discussions because AML regulated entities may always argue that individual’s information will be kept for AML compliance. Uncovering money laundering is many times a “backend” process that requires certain data to be available for a long period of time. The aspects of Enhanced Due Diligence (EDD)on individuals that are considered suspicious may be very relevant to uncover a money laundering scheme that may surface after years of operations. In which case not having individual’s data as collected at the time the activities happened may hinder financial crime analysts work. All is to say that sometimes these conflicts between regulations aren’t that easy to solve.
Furthermore some of these conflicts will have an added complexity as the regulatory jurisdictions may be different. A financial company that is headquartered in the US with AML regulatory responsibilities will face also in May 2018 the Consumer Due Diligence (CDD) guideline from FinCEN. This stipulates CDD and EDD for beneficial ownership (those individuals with more than 25% ownership in a company). In order to remain compliant, organizations would need to keep these records for a long period of time and this could come in conflict when the beneficial owners are EU citizens.
The cost of compliance, sometimes, can be a significant burden to small or medium sized organizations. FinTech organizations that are leveraging a worldwide consumer base will face yet an additional burden with GDPR. For this reason, and given our strong stance in regards to privacy and deep understanding of the regulatory frameworks, we are introducing a set of features that should reduce the burden on data controllers in their path to GDPR compliance. Let it be noted that we are NOT offering “GDPR Compliance” but instead a set of features that should significantly reduce the burden of GDPR compliance operations in so far as it applies to data management, storage and reporting.
Starting on May 1st the following features are available to all our KYC Plugin clients:
1. Consent Flow. Disclaimer text and checkbox at the start of the application and also before submitting KYC application.
2. Consent Management. In the admin portal for each applicant show date/time/browser info on when consent was collected.
3. Right to Erasure. Add ability for client to submit a ticket through admin portal to request Data Deletion of user.
4. Disclaimer Language. Language that specifies purpose of data collection and operations with it.
5. Data Minimization. Plugin collects relevant information per country and per level of KYC due diligence needed by the client.
6. Audit Logs. The system will maintain an audit log that can be provided upon request that would contain the details of the actions above, the deletion of data, and provide insights to the clients when there is a potential conflict between regulations.
7. Regulatory Conflict Warning. When the system is used in conjunction with transaction monitoring for AML and regulatory reporting it would prevent deletion of data when the identity data may be related to alerts or reports that other regulations require data preservation.
Compliance operations can be effective and efficient when proper technology is part of the strategy. We have helped many of our clients scale cost effectively. We recently published a case study with one of our FinTech clients that showcases how cost effective it can be. We have many examples like it.