Rob Daly | September 20, 2017

Clock Ticks on EU Privacy Regulation

Anonos-BigPrivacy-Article-Markets-Media-2.pngFor financial technologists who are looking for a distraction from MiFID II’s January 3, 2018, deadline, firms doing business with EU-based counterparties have less than 250 days to meet the EU’s General Data Privacy Regulation, which goes into effect on May 25, 2018.

he GDPR, which is the largest data privacy overhauls in Europe in the past 20 years, will cast a long regulatory shadow beyond the EU’s borders.

Under Article III of GDPR, if a firm has an establishment in one or more of the EU’s member states or makes use of equipment within one or more of the member nations, it will need to comply.

Unlike previous data privacy regulation, GDPR keeps its criterion of the establishments so that the regulation is applicable to the processing of personal data in the context of the activities of an establishment of the data’s controller, or third-party processor, regardless whether the processing is taking place in the EU or not, Gwendal Le Grand, director of technology and innovation at Commission Nationale de l’Informatique et des Libertés, explained during a webinar on data privacy.

“Basically if you are making business in the EU, you are going to need to comply,” he added.

However, if a company outside of the EU has EU clients, it does not mean that they will be captured by the pending privacy regulation automatically, according to Jules Polonetsky, CEO of Future of Privacy Forum and fellow presenter.

“If you are anywhere in the world and dealing with a person in the EU, you have to do something; the question is: ‘How much,'” he said. “If you are monitoring someone’s behavior, you are swept in. And if you are doing anything to market to EU citizens even though you’ve never stepped foot into the EU or have employees or other connections, you are indeed going to be captured by the regulation.”

The GDPR defines personal data as any data that can be used to directly or indirectly identify a natural person-name, photo, email address, bank details, medical records, social media identifier, static IP or MAC address.v

The regulation also does away with the broad-based privacy consent that businesses typically have used and offers no grandfathering for existing personal data, according to Gary LaFever, co-founder and CEO of data privacy vendor Anonos.

Firms with data lakes or warehouses will need to address the existing data, he noted.

“Either the firm can have the user re-consent to a new privacy policy, or they may need to be anonymized or pseudo-anonymized the data,” said LaFever. “Something has to be done to those data sets because those data sets do not reflect lawful permitted collected data,” he added.

The EU has given regulators a hefty cudgel to ensure business comply with the regulation. Depending on the nature of the infraction, regulators could fine the offending firm the greater of 20 million euros or 4% of its global revenu

This article originally appeared in Markets Media All trademarks are the property of their respective owners. All rights reserved by the respective owners.


Are you facing any of these 4 problems with data?

You need a solution that removes the impediments to achieving speed to insight, lawfully & ethically

to Insight
Are you unable to get desired business outcomes from your data within critical time frames? 53% of CDOs cannot achieve their desired uses of data. Are you one of them?
Lack of
Do you have trouble getting access to the third-party data that you need to maximise the value of your data assets? Are third-parties and partners you work with worried about liability, or disruption of their operations?
Inability to
Are you unable to process data due to limitations imposed by internal or external parties? Do they have concerns about your ability to control data use, sharing or combining?
Are you unable to defend the lawfulness of your current data processing activities, or data processing you have done in the past?
Traditional privacy technologies focus on protecting data by putting it in “cages,” “containers,” or limiting use to centralised processing only. This limitation is done without considering the context of what the desired data use will be, including decentralised data sharing and combining. These approaches are based on decades-old, limited-use perspectives on data protection that severely minimise the kinds of data uses that remain available after controls have been applied. On the other hand, many other new data-use technologies focus on delivering desired business outcomes without considering that roadblocks may exist, such as those noted in the four problems above.
Anonos technology allows data to be accessed and processed in line with desired business outcomes (including sharing and combining data) with full awareness of, and the ability to remove, potential roadblocks.