GDPR: Sphonic’s Perspective

January 20, 2019
Read Time: 3 minutes

#RegTech #Regulations #Data

While you will not get official opinion from Sphonic on the stance we take when it comes to Brexit, we would like to focus in on the new data protection laws introduced throughout the EU last year. The GDPR was introduced in 2017 and put into effect in 2018 in order to protect consumer privacy in the world of big data. Since its inception, GDPR has set the example for what institutions across the world should be trying to achieve when it comes to protecting their customers.

In short, and in case you have had enough of hearing about GDPR, the new regulations can be boiled down to the following key points:

  • Consumers have the ‘right to be forgotten’ – i.e. Any consumer can request that an institution deletes all records of data associated to him / her, and that institution must comply. A customer can also ask to see what data an institution is holding about them.
  • Data must only be processed for legitimate reasons and these reasons must be made clear to the customer.
  • Institutions must only collect data that is necessary and must not keep personal data on the processing of that data is complete.
  • In the event of a data breach, institutions must inform the regulator and data subject within 72 hours of identifying the breach.
  • Privacy and protection of data should be ensured by default in all organisational and technical mechanisms.
  • All institutions must have a Data Protection Officer responsible for GDPR compliance.

Failure to comply with GDPR will see companies face fines of up to 4% of their annual turnover or €20million – whichever is higher.

This is big news for almost every company doing business in the EU and it is good news for consumers all over the world, as companies take on the responsibility of keeping their data protected.

A number of new data protection companies are benefitting from the rise to comply with GDPR. Large institutions are spending millions in order to install company wide data protection mechanisms on endpoints, servers and networks. Some companies have decided to step back from holding any consumer data at all, preferring to change their business model in order to avoid risking a compliance breach.

At Sphonic we deal with data every day. Our platforms are built to allow financial institutions to provide protection to their consumers from fraud. We aggregate data from various data service providers – from KYC to device and address verification vendors – in order to build a digital picture of what is happening for a specific consumer account opening or transaction. Some of the data that is needed to do these checks are personal, for example, name, address and date of birth – which is required to perform a KYC check. We have worked with every single one of the vendors we partner with in order to ensure personal data is not collected when it is not necessary to provide the protection needed for that consumer. Each of our vendors have their own GDPR policies which can be read on their websites or requested directly.

Our approach is simple. As we are an aggregator, we do not need to store any data for more than 10 days. We need the data for 10 days in order to be able to perform any emergency maintenance or checks, should a client require that. However, any data that is stored in the at time is fully encrypted and permanently deleted after the 10 days. We also ensure that our Case Management System is able to give a powerful overview of the day-to-day checks passing and failing in a client fraud and risk workflow, without needing to display any personal information to a client. If any cases need to be reviewed in more detail, a person with the right authorised clearance to view the records must enter a password in order to decrypt the personal information. This viewing session is then logged by the system so that it is clear who view what and when.

We have worked hard in order to get the balance between consumer protection against fraud and consumer privacy right and we think that the EU has shown the rest of the world how consumer privacy should be approached. The responsibility is with the company, not the individual, and we believe the same can be said for fraud prevention. We are working with a number of clients on new and inventive ways to identify fraud all over the world. If you are interested in finding out more, please get in touch via our website Contact page.