GDPR compliance software supplier, Keepabl, kicks off our FinTECHTalents FinTech of the Week for 2020. Robert Baugh, CEO, Keepabl sat down to talk about the global influence of GDPR and it’s compatibility with blockchain solutions and other emerging technologies at FinTECHTalents 2019.
Watch the video now:
Do you think consumers are becoming savvier about data?
I think they are and I think that’s also rippled through into businesses as well. Businesses are now very aware of how they’re using people’s data, how they’re collecting it. Particularly with the Facebook Cambridge Analytica scandal and then, for example, with the massive potential fines for BA and Marriott of £183 million/£99 million, this has really got boards thinking about it as well. They know they’ve got to react well when individual data subjects exercise their rights and ask for copies of their data or what data do you hold about me. There’s a lot of activists out there already pushing that agenda a lot.
Are we seeing opportunities emerge around the data privacy and GDPR industry?
GDPR kicked off an enormous industry actually including our own company. GDPR was really the spur for us. What happened before GDPR, very much the same sort of rules, GDPR extends them quite considerably and strengthens them but the rules were all there in terms of data subject rights and other things like this.
What happened with GDPR was the maximum fine went from £500,000 to €20 million of global turn over whichever is greater. So that really focused the minds as well.
Also with all of that, GDPR really made the news, it made it much better in the minds of individuals to exercise their own lines. All of that together created a perfect storm making people more aware.
Do you think the regulatory framework around the world is struggling to keep up?
GDPR has really spurred global privacy laws. In California they brought in the California Consumer Protection Act and there’s actually a new one coming through as well on the agenda. It’s not a law yet but it’s been proposed. The CCPA in California is very much based on GDPR with a couple of local tweaks. It went through very quickly so it’s quite an interestingly drafted law. Brazil’s law is very much influenced by GDPR. India’s law very much influenced by GDPR.
So Australia and Singapore, you mentioned, they already had really good data protection laws in place and they are looking at updating those. Also, for example, if Australia brought in a breach obligation as well, which we have here in the GPR, so yes, it’s definitely spurred global requirements.
It’s pushed data protection to the number one concern for compliance people in the Asia-Pacific as well.
Have local data privacy laws increased in importance – considering the huge amount of data available on people globally?
You’ve hit the nail on the head for GDPR. US companies, on average, have spent more on GDPR than European companies have but they’re more used to spending on technology and compliance as well. GDPR changes the territorial scope of the law so you can be subject to GDPR if you target individuals in Europe. Those individuals don’t need to be European. There can be any nationality. So, if you’re outside Europe processing data about Europe or about individuals in Europe, you’re probably going to be covered by GDPR. Interestingly, that territorial scope has been adopted by California as well for the CCPA. That’s why the whole of the US is very concerned about the California law.
How does Keepabl adhere to the ethos of regulation?
It’s a great question because if you don’t have cultural change, you’re not going to be able to implement what’s called privacy by design and privacy by default. So, privacy by default is that your culture and your systems are all set up that privacy is baked in. Then privacy by design is really that you’ve trained people and all your policies and procedures, you’ve got the cultural aspect that when you create a new process, you’re thinking about privacy by designing in that process when you’re going through.
The way to do that is really cultural change, because it is very much different now than under pre-GDPR life. The way that we help people do that, and we have an innovative cloud solution. We’ve actually won GDPR company of the year 2019. In the last 14 months, five nominations for innovation, two for security for our breach module. That innovation is in taking something incredibly complex and making it really simple.
Banks often have a large compliance team, but they’re also overstretched, they’re also stressed out, they’re overburdened and under-resourced, typically. They don’t want anything extra complex on top and GDPR is this big monster. What we do is we make that really achievable – very visual, easy reporting, very straightforward for people in different companies, different teams and different jurisdictions to all work together on the same thing, so you don’t have a different way of doing things.
We’ve got case studies with FinTechs such as Ravelin, with investors such as FML Capital and we have wealth managers listed as clients. They’ll all show the case that is in testimonials about how much more efficient we make the process both working with your own teams and across jurisdictions and with external advisors as well. Also, less stress as you’re spending less time saving cost and that opportunity cost if your GDPR compliant, your risk of having an expensive data breach is greatly reduced as well. So the opportunity cost of breach is also reduced.
How can regulation like GDPR co-exist with things like blockchain?
So, there is an interesting European Parliament report just out actually about how blockchain is pretty incompatible with GDPR because of the idea of this immutable record. GDPR, obviously, you’ve got to be able to erase and this sort of thing. There are different ways to look at it to try and address that, but the report comes out with a very interesting point that looking at how blockchain and GDPR coexist, which is quite hard.
Actually, what it throws up is GDPR itself is still quite ambiguous in certain areas. People need to be able to have a risk managed approach to it (which is obviously where we come in as well). So really GDPR is a bit like ISOs, like 27001 for security. 9001 for quality etc … You have a set of rules and how you implement them is appropriate to the risk, that’s how GDPR can be applied.
When you’re looking at anything like … AI itself also raises some very interesting questions, data sharing, big data analysis, repurposing data – there are big question. But these aren’t faults of the law, these are just the fact that the technology capabilities have exploded, and the law actually is technology neutral. It’s applying those first principles to the new situations and that enthusiasm of using new tech because we can, while also looking at how do we have to do this.
Watch Keepabl present on the FinTech Stories Stage at FTT19.
If you would like to be involved in FinTECHTalents 2020 contact us today!