Connect with us

Business

THE POTENTIALLY CATASTROPHIC EFFECT OF GDPR ON CLOUD MIGRATION – IF YOU HAVEN’T STARTED YET.

Dr Gavin Scruby,CIO,SmartDebit

Certain industries have significant restrictions on the way they process data. Some of the most common are defence, health, credit card and government. When these organisations process data, they have to comply with industry-specific regulations, which benefits us all. What some companies have not yet realised is that everyone now operates under a similar kind of regulation. This is of course the General Data Protection Regulation, most commonly referred to as GDPR, which now governs data protection across the EU. The UK government intends to write GDPR into UK law and stay largely parallel with the EU, so the caveats here will probably apply even in the case of a no-deal Brexit. While many people know that the GDPR affects how they should protect data, the breadth of impact on the data controller-processor relationship is often missed, and this can have catastrophic effects on business flexibility, and particularly on cloud migration.

Gavin Scruby

Before getting into the consequences of this and how they could be managed, it’s worth looking at what controller and processors are, to see how they affect nearly everyone who offers a service over the internet. If you have a website and you integrate a card payment service, you are a data controller – you decide what data you collect from your customers (card details and postcode), why it is processed (to make a card payment) and who processes it (the card payment processing company). While you are the controller, the card company is your processor – it processes data from your customers to enable credit card payments to happen. This kind of relationship is more common than many people may think. In any situation where a company provides a personal-data processing service to another company, that service company becomes a processor. It could be an online CRM service, a bookings service, an online document storage service, even a paper document library (as GDPR applies to printed information too) – almost anything where the service provided stores or processes personal data for another organisation creates a controller-processor relationship.

The difficulty now is that GDPR puts a lot more restrictions on what a processor can do without the controller’s consent, largely because the controller now has many more obligations to check and control how data that it collects is used. This is only fair; if you are liable for data you’ve collected, you should have some say in what is done with it when you subcontract it to someone else.

A key restriction, and the one we consider here, is within the GDPR’s Article 28 Paragraph 2: “The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.”

The simple language interpretation of this is that as a processor, you can’t change your data subcontractors without explicit permission from your controllers (i.e. customers) – and that means all of them. This is difficult enough if you want to change standard suppliers, but the often neglected consequence is that it can also affect where you locate core data and whether you migrate to the cloud. Even if you rent rack space in a data centre (co-location hosting) and the data centre never “sees” unencrypted data, this is still classed as a sub- processor by the law. Consequently, any move to another data centre, or a migration to cloud, is considered a change in sub-processor, which therefore requires permission from all customers.

In practice, this could be extremely limiting. You would not want to attempt to arrange written authorisation from every customer when you want or need to move to the cloud. If nothing else, it could push back migration timescales by years. The most you would want to do is inform customers, with perhaps an early termination clause if they had a significant issue. This is not how contracts are being drafted, and not how the ICO recommends they are drafted. Standard clauses will be created by the EU or ICO in time, but these are not yet available. The ICO recommends contract terms of the form: before employing a sub-processor, the original processor must inform the controller and obtain its prior specific or general written authorisation. It is possible to draft contracts to contain general written authorisation or include clauses to allow early termination or assumed acceptance on non-response, but you’ll need professional legal advice to make these enforceable and legal such that they do not violate the GDPR.

The result of the introduction of the GDPR now means you need to do two things: firstly, make sure your own contracts are drafted to ensure maximum flexibility for you but in compliance with the law; and secondly, read sub-processor clause amendments made by customers very carefully. Here you need to discuss your specific circumstances with your legal advisors or industry body. If you just migrate to cloud without customer consent, you could fall foul of GDPR sub-processor limitations, and many more organisations and individuals are getting knowledgeable on their rights.

Don’t panic though. The GDPR has thrown up many situations like this and it is still very new, in case law terms. The GDPR is not intended to work in such a way as to stop dead industry-wide cloud adoption. Everyone is finding their way on these rules right now and the ICO seems to be taking a “carrot” rather than “stick” approach for those companies who are genuinely trying to improve data protection but still operate their businesses competitively. In time, consensus guidance will be developed, but until that time, we all have to be more careful about what we sign and even more careful about the contracts we write.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Business

HELPING SMES ACCESS FINANCE IN EXTRAORDINARY TIMES

Tim Vine, Head of Credit Intelligence at Dun & Bradstreet

 

The closed doors of businesses have become a sadly familiar sight on the high street. With social distancing in force, many of the small and medium-sized enterprises at the heart of the economy have been lockdown was enforced. Unfortunately, it looks like we’re a long way from returning to business as usual.

Access to finance is critical for many small and medium enterprises (SMEs) right now. The government has recognised this with loan schemes that seek to inject much needed cashflow into smaller businesses, and financial services providers are equally looking to offer support.

However, in recent years SMEs have had a tricky relationship with borrowing, lacking confidence with the types of finance and options available. In 2018, nearly half of the UK’s small business owners viewed themselves as permanent non-borrowers (47%). Equally, lenders have sometimes struggled to access the information needed to make robust loan decisions.

Understanding the full range of lending options available will be critical for smaller businesses to make informed borrowing decisions in the coming weeks. Credit reference agencies (CRAs) can play a key role in supporting SMEs, as they secure the finance they need to weather the current storm.

 

Tim Vine

The double-edged sword

The borrowing decisions taken now will impact the financial health of SMEs for many months to come. However, even before the coronavirus outbreak, there were signs that these businesses  didn’t always have the awareness or the information needed to make confident borrowing decisions.

A survey commissioned by Dun & Bradstreet in late 2019 found that 46% of SME respondents seek business loans from the bank, with 25% turning to private investors and 23% to family members or friends. According to research from the British Business Bank in 2019, small business owners had misgivings about the cost (29%), strict conditions (26%) and difficulty (25%) of securing finance – that put them off applying for loans. This left many SMEs facing a double-edged sword when it came to finance: put off by the terms offered by their bank, but not willing to look elsewhere.

Perhaps as a result, finance has been used as a way to keep the doors open, rather than developing the business. Where SMEs were borrowing, it was most often for working capital to continue trading (56%) – rather than to invest or expand. In Dun & Bradstreet’s survey, over half (52%) of respondents believe there is a lack of financial support available to help small businesses grow and succeed. Today, the challenge to survive is tougher than ever in the wake of COVID-19, so it’s vital that SMEs can look beyond one provider to find finance on the best terms possible.

 

Lack of information

Importantly, in 2019 small and medium-sized enterprises were most likely to rely on their own knowledge – rather than external sources – when considering access to finance. When asked about their most common source of guidance, small business owners pointed to themselves – both for choosing the type of finance (35%) and the specific provider (30%). Right now, this could result in SMEs limiting their borrowing options and missing out on the best choice for the business.

On the other side of the fence, banks historically struggled to approve loans to SMEs due to a lack of information about the risk they represent. Unlike larger businesses, SMEs haven’t been required to register at Companies House or publish annual accounts.

However, since the Small Business, Enterprise and Employment Act of 2015, credit reference agencies (CRAs) have had access to information on how banks lend to small and medium-sized businesses. This means that CRAs can act as an independent intermediary between SMEs and lenders, offering information to support robust lending decisions during this critical time.

 

Linking SMEs to lenders

Credit reference agencies can act as an important link between SMEs and lenders. CRAs can provide banks with the depth of data needed to make qualified decisions about offering loans to SMEs, as well as providing greater clarity on how to handle marginal decisions. In other words, CRAs help lenders to say yes as much as possible, to the right business at the right time.

On the business side, credit reference agencies can link SMEs to a wider range of sources for finance, suggesting alternative options and providing clarity over declined applications, to help as many SMEs access finance as possible. Solutions offered by CRAs can help smaller and medium-sized businesses to get a holistic view of their options to make informed decisions – and secure finance on the best terms for them.

Importantly, many CRAs are also taking steps to avoid unfairly discriminating against SMEs due to special measures taken during the pandemic. For example, rating systems will draw distinctions between where SMEs have negotiated approved payment freezes with suppliers and payment defaults, without an impact on credit ratings. This will support smaller businesses’ recovery in the long term.

 

In everyone’s interests

With strict social distancing rules in place, many of the UK’s SMEs may have to face this period of hibernation for a while longer. Access to finance will be vital for meeting financial commitments, protecting jobs and ultimately staying in business until more normal times return.

Right now, it’s vital that SMEs are able to make informed decisions about the finance that they access, including the lender that they choose and the form that it takes. Equally, lenders should be able to make qualified lending decisions, providing crucial cashflow to SMEs that can afford it. By opening up data on both sides, credit reference agencies can act as a critical intermediary and help to keep SMEs in business.

 

Continue Reading

Business

DO MESSAGING APPS PUT THE FINANCIAL SERVICES INDUSTRY AT RISK?

Ashley Friedlein, founder and CEO, Guild

 

Accelerated by the coronavirus pandemic, the use of messaging apps for professional communications has skyrocketed in recent months. Messaging apps have provided a lifeline to organisations, enabling them to support a remote workforce. However, consumer messaging apps have also seen an increase in adoption, and many will be using them for business, as well as personal use.

When using messaging apps in highly-regulated environments, organisations need to be aware of compliance issues in a financial regulatory capacity, while also adhering to laws relating to security, transparency, and data privacy, such as the General Data Protection Regulation (GDPR).

Not doing so puts banks and other regulated entities within financial services at risk of non-compliance, which can result in serious penalties.

In 2017, the UK’s Financial Conduct Authority (FCA) highlighted the risks of using WhatsApp. Guidance from the Securities and Exchange Commission (SEC) followed in December 2018 outlining its responsibility for monitoring electronic messaging, which included messaging apps.

Although regulators have been clear about the risks associated with using instant messaging apps, some financial firms seemingly failed to develop and implement robust guidelines around the use of these services for professional purposes.

Ashley Friedlein

Earlier this year, a senior credit trader at JP Morgan was suspended for communicating with colleagues via WhatsApp, with Jefferies, KPMG, and VTB Capital also finding themselves subject to investigations after employees were found to be using messaging apps as unofficial channels for communication.

Deutsche Bank took steps to ban all text messaging and communication apps to improve its compliance standards, with many others, including HSBC, Citi, and Wells Fargo following suit to move to a secure communications platform. However, while the financial industry is taking steps to prevent the usage of consumer messaging apps, some firms are failing despite the implications of not having a robust policy around the tools used to communicate within a bank or other regulated entity.

 

Data privacy and security

Data privacy laws such as the GDPR and CCPA make the use of consumer messaging apps in the workplace challenging for IT, HR, corporate governance and compliance teams. The financial and reputational cost of misuse in these ‘shadow communications’ channels can be significant.

WhatsApp, one of the most widely used consumer messaging apps, can result in organisations using the platform being non-compliant with the GDPR privacy regulation due to:

  • Lack of explicit consent – anyone can be added to a WhatsApp group without explicit consent. WhatsApp has added functionality to prevent specific users from doing this, but this is not enabled by default. Contacts can also upload data to WhatsApp/Facebook if they give access to their contacts/address book, even though those contacts have not given consent.
  • Lack of ability to delete information – after a certain time, content posted to WhatsApp cannot be removed.
  • Lack of ability to get your own data back (SAR – Subject Access Request) – WhatsApp cannot provide an individual with messages they have posted, only profile info.
  • Data being transferred outside the EU – it is not very clear where exactly WhatsApp/Facebook moves the data it collects.

The use of WhatsApp for business purposes potentially breaches GDPR in several ways.

Companies do not even know what groups exist in consumer messaging apps, let alone who is in them, or whether former employees or contractors may still have access, increasing the risk of data breaches and leakage of confidential information.

 

A lack of oversight and transparency
Consumer messaging apps like WhatsApp, Signal and Telegram have provided unofficial communication channels that are difficult to monitor, resulting in a total lack of visibility for employers and regulators alike.

Access to these unofficial communication channels presents a serious risk by creating opportunities for employees to take advantage of situations This includes conducting business under the radar in a way that benefits them, or their clients in a manner that is immoral, or even illegal. In some cases, sharing information about clients without intending to cause harm can still result in serious consequences.

Firms have a legal obligation to keep a record of conversations between themselves and their employees, clients, or stakeholders. If legal challenges arise, it may be necessary to provide a record of these conversations. Many consumer messaging apps store data locally rather than centrally in the cloud, making it more difficult to provide a complete record of conversations.

In addition, there are also legal obligations and a duty of care to protect employees and ensure adequate levels of oversight, governance and control. This includes protecting them from bullying, harassment, or inappropriate behaviours in the workplace. The lack of visibility and transparency around consumer messaging apps, including the ability to delete messages, makes it more difficult for HR departments and legal teams to address issues promptly, while inhibiting their ability to collect evidence.

Terms of service

WhatsApp is used by over 40% of UK workers for professional purposes. This appears to violate WhatsApp’s own terms of service, as the app is not intended for business use.

WhatsApp’s terms state:

“WhatsApp is committed to using the resources at its disposal–including legal action–to prevent abuse that violates our Terms of Service, such as automated or bulk messaging, or non-personal use.

“We make no representations or warranties that our Business Services meet the needs of entities regulated by laws and regulations with heightened confidentiality requirements for personal data, such as healthcare, financial, or legal services entities.”

 

How can the financial service industry minimise risk when using messaging services?

The financial services industry requires a tailored approach to messaging in order to effectively minimise risk. Messaging apps are becoming increasingly ubiquitous, and do provide many benefits, such as increased productivity and collaboration. Excluding them from communications completely can close off channels that improve operational efficiency and build rapport between teams – something that has become even more important now that many employees are working from home.

Banks who have taken steps to ban all text messages and communication apps on work-issued devices in order to improve its compliance standards have sought alternatives, such as Symphony – a messaging service aimed at highly regulated financial firms. This enables banks to continue to communicate with clients in real time, while also maintaining thorough and rigorous standards of data security and privacy protection.

Security, transparency, and compliance are paramount in the financial services industry, yet it is easy for unregulated consumer messaging apps to go completely unnoticed. The sector must do more to acknowledge and address their use in order to adhere to these three fundamental principles.

Workplaces, working practises, and channels of communications have needed to change rapidly as a result of the COVID-19 pandemic. It’s critical that organisations address the issues and risks associated with messaging apps by implementing robust policies around workplace communication and seek out viable, compliant alternatives not only now, but as part of a long-term solution.

 

Written by Guild founder and CEO, Ashley Friedlein. Guild is a British, independent and ad-free messaging platform for professional groups, networks and communities.

Continue Reading

Magazine

Partner Events

Trending

Top 107 hours ago

WHY INDONESIA IS THE WORLD’S NEXT DIGITAL PAYMENTS BATTLEGROUND

Kelvin Phua, Global Head of Payment Networks at PPRO   The COVID-19 outbreak has seen the e-commerce sector surge. Despite...

Business7 hours ago

HELPING SMES ACCESS FINANCE IN EXTRAORDINARY TIMES

Tim Vine, Head of Credit Intelligence at Dun & Bradstreet   The closed doors of businesses have become a sadly...

Business8 hours ago

DO MESSAGING APPS PUT THE FINANCIAL SERVICES INDUSTRY AT RISK?

Ashley Friedlein, founder and CEO, Guild   Accelerated by the coronavirus pandemic, the use of messaging apps for professional communications...

Business21 hours ago

HOW PREVENTING AND MITIGATING FRAUD CAN IMPACT YOUR CUSTOMER RELATIONS

Matt Mascherin, Solutions Engineer, Enterprise Sales Americas   Texting has become a staple of modern life and is so pervasive...

Finance1 day ago

2020: THE YEAR OPERATIONAL RESILIENCE AND CYBER-RISK TAKE CENTRE STAGE IN FINANCIAL SERVICES

Miles Tappin, VP of EMEA for ThreatConnect, explores how financial providers can build a cyber security strategy that enables operational...

Wealth Management1 day ago

HOW RESILIENT IS YOUR ORGANISATION’S SECURITY?

Kimon Nicolaides, Digital Services Group Head at MASS   Organisational security can be thought of like peeling the layers of...

News2 days ago

INTERNATIONAL BANKING NETWORK EXPANDS AS IT WELCOMES STANDARD CHARTERED BANK

IBOS Association (IBOS), an international banking network, is delighted to announce its newest member to the group, Standard Chartered Bank....

Wealth Management2 days ago

HOW TO CATCH UP ON YOUR RETIREMENT SAVINGS

By Gerard Visser, Certified Financial Planner at Alexander Forbes For many South Africans who were already finding it difficult to save...

Technology2 days ago

ARTIFICIAL INTELLIGENCE AND FUTURE OF TECHNOLOGY

Ashish Jain, CEO, Future FX   Artificial Intelligence refers to machine intelligence that is programmed to think like humans and...

Finance2 days ago

GROWTH OF FINANCIAL MARKETS AND TECHNOLOGY

Ashish Jain,CEO, Future FX   The economic development of any nation completely depends on its financial structure both in long...

Banking4 days ago

NO SAFE HARBOUR FOR DIGITAL BANKING

by Konstantin Bodragin, Business Analyst and Digital Marketing Officer at Bruc Bond   At the beginning of 2020, the future...

Business4 days ago

CAN TECHNICAL INNOVATION HELP FINANCIAL SERVICES FIGHT BACK AGAINST FINANCIAL CRIME?

By Charlie Roberts, Head of Business Development, UK, Ireland & EU at IDnow   It’s no secret that the financial...

News4 days ago

ARE MIDDLE EAST ENTERPRISES PREPARED FOR THE FUTURE?

Deloitte releases 2020 tech trends report   Deloitte’s 11th annual report on technology trends captures the intersection of digital technologies, human...

Wealth Management4 days ago

ONLINE STOCK BROKERS ARE BENEFITING IN 2020

2020 has changed our lives in dramatic ways. Thanks to COVID-19, many of us now work from home. Rather than...

AI AI
Finance6 days ago

COULD COVID-19 BE THE CATALYST FOR DIGITAL TRANSFORMATION IN FINANCE?

By Simon Bull, Sales Operations & Business Development Manager at Aqilla   We are all now living in a new...

Banking6 days ago

WHY OPEN BANKING SHOULD BE EVERY MARKETER’S BEST FRIEND

By Kathryn Wright, CSO, Upside   To date, Open Banking has been mainly utilised to help consumers with account switching...

Finance6 days ago

TOP TECHNOLOGY TRENDS FINANCIAL INSTITUTIONS SHOULD INVEST IN TO BRIDGE THE GAP IN REMOTE WORK

Chirag Shah, Senior Vice President, Fintech & Innovation Lead, Publicis Sapient   More than ever before, technology is critical to...

Business1 week ago

TOP 5 LINKEDIN PROFILE OPTIMIZATION HACKS FOR ASPIRING BANKERS

According to Firmex, finance professionals cannot afford to be not on LinkedIn. A significant number of organizations acquire talent in...

Wealth Management1 week ago

TAPPING INTO THE DATA GOLDMINE: THE FUTURE OF DATA-DRIVEN CREDIT MANAGEMENT

Willand Brienen, product owner at Onguard   Data, and the insights it reveals, can offer organisations a vast number of...

Finance1 week ago

ENLISTING TECHNOLOGY TO HELP FIGHT FINANCIAL CRIME

By Rachel Woolley, Director of Financial Crime Fenergo   Million-dollar properties, private jets and parties on luxury yachts with celebrity...

Trending