Data is the cornerstone of financial and regulatory compliance. Whether you are a loan provider, an ecommerce company or an SME, you gather consumer data all the time. The data collection begins with KYC, PII (Personal Identifiable Information) and consumer behaviour to transactions across the entire consumer trajectory. This places two critical responsibilities on every business – protecting privacy of the consumer and their transactions, as well as protecting their PII. The rise in participation of third-parties in business processes has also placed a major challenge on data protection. This has resulted in a phenomenal growth of solutions in regulatory technology, with the intent at data protection compliance. The new European Union (EU) General Data Protection Regulation (GDPR) bill came into effect on the 25th of May 2018, and has become incumbent upon all companies to look at their data governance policies.
The GDPR bill
In absence of significant Data Protection policies across the world, the EU has taken on the challenging task to address the issues of data protection and privacy for the first time. The GDPR has been enacted to put controls on the gathering, storage and use of an individual’s personal data. The regulation applies to EU countries and organisations, working or registered in an EU country. However, organisations in non-EU countries dealing with data of an EU citizen also come under its ambit. The GDPR deals with an individual’s rights, making consent to giving data more specific, while placing obligations on data controllers and data processes to protect personal data. Article 5 of the GDPR emphasises upon compliance with data processing norms as laid in Article 24; while Article 25 stipulates “data protection by design and by default”. This means that resident IT systems of companies dealing with data have to incorporate high levels of security measures and regulate access. A stipulation of ‘adequacy requirements’ restricts the transfer of personal data to any third country or international organisation that does not “ensure an adequate level of protection.”
Under GDPR, the “data processor” refers to any operation on personal data – collecting, recording, structuring, storing, using, disclosing by transmission or erasing and destroying. Article 3 makes it clear that the territorial scope extends to data processing in any country outside EU, if it deals with data of EU citizens. Most data processors are increasingly dealing with personal data of EU citizens. Access to such information is a part of routine data processing operations, which brings such companies within the purview of GDPR. The GDPR has common grounds with the Australian Privacy Act 1988. A privacy-by-design approach to regulatory compliance and adoption of robust practices for transparency, are the common denominators. So regulatory compliance is already in place in the Australian data processing landscape, regardless of whether they have an EU presence.
Impact on Regtech companies
While the GDPR is expected to regulate data protection laws across EU countries, it will also change forever the regulatory mechanism. Businesses all over the world, both fintech and regtech, will ensure technology compliance for data protection and consumer trust. Many companies are rolling out products and solutions, focused on the critical risk factors related to data protection – controlling user access and managing sensitive data. While the solutions and SaaS services may not be standalone data protection answers, together they constitute a sustained effort towards data compliance.
In this scenario, Privilege Access Management (PAM) is gaining traction to ensure access to data is granted based on roles and robust authentication, together with monitoring in real-time to reduce exposure to PII. Deploying regtech has already become an inevitable route for businesses seeking data compliance. With GDPR implementation, we can expect data protection measures across the regulatory technology to be further strengthened. Investment in data solutions will also close the gap between SMEs and larger businesses as they update their IT systems.
Takeaway
The effects of GDPR will be global, boosting compliance and consumer confidence in data processors and compliance solutions. Businesses in non-EU regions too will adopt the GDPR standards in spirit. Improvements incorporated to meet data compliance, will ultimately ensure efficiencies across the organisation for data protection.
Subscribe to our blog for updates and more