The EU’s General Data Privacy Regulation, which goes into effect in May 2018, may prove to be a greater boon than a bane for financial services firms globally.
The regulation applies to organizations located in the EU as well as organization located outside of the EU that offer goods and services to or monitors the behavior of EU citizens.
Designed to harmonize data privacy laws across Europe, it aims to protect information related to “a natural person or ‘data subject’ that can be used to directly or indirectly identify the person.” And non-compliance with the GDPR comes with hefty penalties which could be the greater of 20 million euros or 4% of the offending organization’s global revenues depending on the nature of the infraction.
Gary LaFever, Anonos
“That’s only the administrative fine,” said Gary LaFever, co-founder and CEO of Anonos. “In addition, the GDPR authorizes class action lawsuits for the first time. And as opposed to the US where you can’t recover for damaged reputation, pain and suffering, or discrimination based on data misuse, those are fully authorized by the regulation.“
GDPR also requires organizations to get specific and unambiguous consent from clients before organizations can apply analytics to the data covered by the regulation.
Given the iterative nature of artificial intelligence and machine learning processes, this could hit firms hard, noted LaFever. “You can get consent to the first or second question but not the third, fourth fifth or tenth question, which is what big data is about.”
However, if an organization meets specific technical requirements and demonstrate a legitimate interest in analyzing the data, they can continue to do so, he said. “If you don’t, you’re liable.”
To address GDPR’s privacy requirements, as well as other privacy regulations, Anonos developed its privacy rights management platform BigPrivacy that can selectively dial up or down the identifiability of data while maintaining the information’s value at the data level.
“It turns digital rights management on its head,” said Ted Myerson, fellow co-founder of Anonos during a TED Talk on big data privacy. “For the first time, you have the ability for trusted enterprise parties on your behalf control how they manage, access, and use your data.”
By creating an information-rich but identity-light data sets, it opens new opportunities to share data that would have been too risky for organizations previously, added LaFever.
“One of the first things that we saw as we started developing this technology were ways of enabling new uses of data that give you more transparency at a detailed level in a timely basis,” he said. “Those three things are gold to quants.”
LaFever cited an example of a bank’s private wealth management business not wanting to share client data with the bank’s real estate business for the fear that the real estate business would use the data for client prospecting.
However, the real estate business could use a copy of the non-identifying data to hone its offerings without targeting the private wealth management clients, he added.
Anonos is targeting data-driven industries, such as pharmaceuticals, human resources, and consulting initially.
“In some respects, healthcare has its own analog to GDPR with the Healthcare Information Portability and Accountability Act,” noted LaFever.
This article originally appeared in Marktets Media. All trademarks are the property of their respective owners. All rights reserved by the respective owners.
Pre-GDPR Pseudonymization versus GDPR Compliant Pseudonymization
How GDPR compliant pseudonymization requirements have evolved from prior standards: