The Top 5 Things We Learned at FIMA

by | Nov 26, 2019 | Data privacy, Privacy blog | 0 comments

Last week, the CryptoNumerics team attended FIMA Europe, Europe’s leading financial data management conference. The event was overflowing with banking executives, data managers, and analysts, and was an outstanding opportunity to network with attendees and learn about the privacy governance challenges experienced by the finance industry. Here’s what we learned:

 

1. Privacy silos exist across organizations of all sizes.

Who owns privacy governance? At FIMA, this was the question everyone was asking. Sadly, we don’t have a definite answer. Truthfully, it depends on how your organization operates. However, what is essential is that there are a number of privacy stakeholders, including legal, risk, compliance, IT security, data science, and business teams.

These stakeholders often operate in isolation, pursuing their own objectives with individualized processes and tools. As a consequence, a fragmentation of values leads to dysfunction between privacy protection and analytics priorities. 

Without an organizational system to manage privacy, and the commitment from the board and executive team, values of privacy compliance and business insights will always be perceived as polarizing. 

Businesses should implement an enterprise-wide privacy control system that generates quantifiable assessments of the re-identification risk and information loss. This enables businesses to set predetermined risk thresholds and optimize their compliance strategies for minimal information loss. By allowing companies to measure the balance of risk and loss, privacy stakeholder silos can be broken, and a balance can be found that ensures data lakes are privacy-compliant and valuable.

 

2. GDPR consent management is a challenge.

Up until May 2018, businesses were able to repurpose consumer data for analytics and data science purposes at will. Through GDPR, regulators sought to ensure that people’s data was only being used for purposes that they were aware of and had consented to. As a result, GDPR outlined six legal bases on which businesses can process consumer data: consent, legitimate interest, contract, legal obligation, vital interests, and public tasks.

Businesses are consistently using data for purposes beyond those that were specified at the point of collection. As a result, they are often required to get in contact with consumers and request consent for every single additional use case. This process not only risks an increase in data deletion requests, but it is incredibly expensive and time-consuming to manage.

Luckily, businesses have another alternative. Only personal information is governed by GDPR, so if data has been anonymized, the regulation no longer applies to it. As a result, if businesses anonymize their data, they can process data at will, without needing to manage consent.

 

3. Businesses believe removing the direct identifiers from a dataset renders it anonymous.

Redacting the names and social security numbers does not anonymize the data. Not even close. However, in our conversations at FIMA, we learned most organizations believe that it does. They also didn’t realize that other types of information, such as quasi-identifiers (gender, ZIP code, and age), can re-identify individuals or expose sensitive information when combined. (Research at Carnegie Melon in 2000 using the US Census demonstrated that removing the direct identifiers, and leaving the quasi-identifiers, left the dataset 89% re-identifiable.)

This misunderstanding of anonymization could cost a business millions. Under, GDPR data that has been anonymized is no longer considered personal, and thus is not restricted from use. The trouble is, most businesses are operating as if their data is anonymous, thus mistakingly violating the terms of GDPR. 

Businesses can avoid the de-identification illusion by implementing an advanced privacy-protection solution that assesses your datasets and privacy protects your data to an acceptable risk threshold while maximizing data value retention. Solutions like CN-Protect will also provide a privacy risk score so that businesses can have peace of mind that the risk of re-identification is minimal.

 

4. Businesses are using synthesized data as a solution to GDPR management.

Some businesses are leaning on synthetic data as a way to avoid costly GDPR overhead. However, while this technique has advanced significantly in recent years, it does not preserve the analytical value in the same way as differential privacy or k-anonymity.

Creating high-quality synthetic data is challenging, because if the data does not perfectly mirror the real world consumer information, the decision-making process will be compromised. Moreover, since the model attempts to replicate trends, important outlier behaviour can be missed. As a result, rather than generate synthetic data, businesses should anonymize actual data and have certainty that they are analyzing reality.

 

5. European businesses are not preparing for the CCPA.

At FIMA, we noticed that businesses were not prepared for or concerned about the CCPA. While we expected GDPR to be a greater focus, given the location of the event, we were alarmed by the limited awareness of the upcoming law.

In just over a month, the CCPA will come into effect. Despite being a state-level law, the impact will be global, as it regulates over not just California-based businesses, but businesses that hold information on Californians.

While GDPR is more proactive and largely stricter, being GDPR-compliant does not ensure CCPA-compliance. For example, two key differences are that:

      1. The CCPA affords consumers the right not to be discriminated against because of an exercise of their rights. This means you cannot limit your service offerings to a consumer who chooses not to share or allow you to use personal information.

         

      2. Consumers can pursue statutory penalties without proving injury. With the minimum damages per individual being so high (USD 100), attorneys are encouraged to bring class-action lawsuits, even in smaller incidents. Comparatively, GDPR does not provide figures for potential damages.

More importantly, the CCPA is part of a growing global trend looking to put more power back in the hands of people. Businesses must continue to look at the global regulatory changes, especially those that operate outside of Europe.

Attending FIMA was an excellent learning opportunity for our team, and we thoroughly enjoyed speaking with the other attendees. Some of our takeaways were scary, but breaking down top misconceptions is an essential part of building a more privacy-conscious future. Financial data management is a challenging ordeal, but we believe that by prioritizing the privacy of consumers, businesses can generate trust and insights simultaneously.

Join our newletter