At TM Forum Live! (May 15-18, Nice, France), Nicolas Steiner, Founding Member, FINTECH Circle Group, will give a presentation on ‘Digital platforms increasing innovation return in the fintech industry’. Here he looks at new privacy legislation which comes into force next year.
Effective breach response procedures and privacy impact assessments are two key components of the GDPR (General Data Protection Regulation) legislation.
“Protection of privacy from conception” is a widely misused and misleading term. What exactly does it cover and how do we ensure that suppliers comply with the principles?
For a long time, we have had a ‘patch culture’. It’s one that companies have known for many years and which forces them to spend more time maintaining their information systems than launching new projects. The practice has become so commonplace that CIOs wait several months or even years after the launch of a new solution to start operating it, until the supplier has made these initial adjustments. The cloud, however, is shaking this up.
The SaaS model (Software-as-a-Service) has indeed changed the situation. If publishers continue to evolve their solutions over time, these changes are made in a completely transparent way. Users no longer have to go through lengthy and laborious testing and deployment phases to take advantage of an updated system. The mechanics are fully supported by the supplier.
However, a fundamental problem remains: If the functional improvements are there to meet new user expectations, the security is tackling an issues that had not been identified until then. That means a vulnerability that pirates have potentially had time to exploit. And the issue becomes particularly critical when the solution deals with personal data.
The privacy fundamentals
To solve this problem and to guarantee the protection of user privacy, it’s essential to get to the root causes. It’s from that observation that the concept of ‘privacy by design’ was born. The idea is to integrate privacy measures from the design stage of a solution. The user must not have to take action to signify that they do not want their data to be collected, stored and exploited by the supplier, apart from that absolutely necessary for the requested service.
Services should implement 7 fundamental principles of safety based on Kim Cameron’s Seven Laws of Identity.
- Proactive not reactive; preventative not remedial
- Privacy as the default setting
- Privacy embedded into design
- Full functionality – positive-sum, not zero-sum
- End-to-end security – full lifecycle protection
- Visibility and transparency – keep it open
- Respect for user privacy – keep it user-centric
It remains to be seen whether suppliers will comply with these rules. To verify this, there is a key document which can be consulted: BCRs (Binding Corporate Rules), developed by the European Union.
The BCR is “a code of conduct defining the policy of a company in terms of transfers of personal data”. For an actor based in the United States providing a cloud-based content management platform, offering its users complete and transparent BCRs is an essential element of trust.
And this is all the more so as, according to customer requests, storage can be located in the United States, or strictly outside. The BCRs are structured around 12 rules that establish basic principles on compliance with local regulations, transparency on the use of personal data, and respect for individual freedoms, as well as operational commitments.
Rise of the Chief Privacy Officer
‘Privacy by design’ is not limited to technical questions of encryption or authentication, which are now largely mastered, but requires a specific type of organization and processes. This is why we see an increasing number of Chief Privacy Officers being appointed, along with a team of key legal and compliance experts. Their sole task is to ensure that the policies for the protection of personal data are properly applied. They ensure a constant monitoring of data usage, implement any evolutions relating to changes in regulations, and answer questions from customers, employees or partners on these subjects. The team is also responsible for raising the awareness of privacy issues among all employees. Each employee follows a training program on international legislation, internet policy, and audit and cooperation procedures with supervisory institutions. In this way, it is no longer simply the solution, but the whole organization, that becomes ‘privacy by design’.
‘Privacy by design’ will be fully integrated in the digital platforms used to increase innovation return by outsourcing innovation and test digital value chains. This will facilitate the aggregation of the drivers forming a connected innovation ecosystem and will be used to test new collaborative patterns brought by digital distribution models. I’ll be discussing this further during my presentation at TM Forum Live!
TM Forum Live! takes place May 15-18 in Nice, France. Find out more at www.tmforumlive.org