Data Protection Challenges for Big Data. FinTech event Oct 12th

By Mark Adair, senior associate on the technology law team at Mason Hayes & Curran in Dublin.

Fintech businesses in Ireland and globally are using big data in innovative ways to create a competitive advantage.

Big data is a term describing companies running high-speed computer analytics on large amounts of unstructured data, from a variety of sources, to reveal patterns, trends and associations that help inform forecasting and decision-making. With so much raw data available to the financial services industry, the real value of big data lies in the output of the analytics. For a financial technology business, also known as a Fintech, the analytics can help it identify opportunities for new products and services, optimise pricing and manage existing risks, such as identifying security breaches or transaction fraud. 

Financial services businesses using big data face data protection and privacy challenges under existing Irish and EU laws.

Financial services is a highly regulated sector. Where an Irish Fintech business is using personal data it must ensure it complies with its obligations under the Data Protection Act.

• Fairness: It must ensure that the processing of big data is “fair” by being transparent and making the individual aware of how it will use his or her data. Generally, the Irish Data Protection Commissioner expects businesses to obtain consent for the processing of personal data.
• Data minimisation: Under the principle of data minimisation, personal data should only be kept for as long as is necessary for the purpose for which is was originally collected.
• Purpose limitation: Big data can process and re-purpose old data sets in new ways. This means a Fintech business may want to use data from external sources in a manner that was not anticipated when the data was originally collected from the individual. However, Irish data protection law provides that if an organisation collects data for one purpose, it cannot use that data for another “incompatible” purpose without obtaining a new consent.

New EU data protection laws on the horizon will make data protection compliance even more important for Fintech businesses.

The new EU General Data Protection Regulation (GDPR) is coming into force on 25 May 2018. The GDPR enforces large penalties for non-compliance, which can be up to 4% of the group’s worldwide annual turnover. The new regulation also specifies that certain types of high-risk profiling need a “data protection impact assessment”. Fintech businesses will need to become familiar with the GDPR’s complex new rules on obtaining customer consent. If a Fintech business is using automated decision making for credit worthiness decision the regulation requires any analysis to contain appropriate safeguards. Under the GDPR there is a general duty to comply with the principle of “privacy by design”, which means a Fintech business’ engineers must design its systems and apps, from the ground up, in a privacy-friendly way.

There are steps a Fintech business can take to mitigate the data protection and security risks arising from big data.

A Fintech business should review its processes, policies and disclosures. It needs to undertake assessments and put in place appropriate security and governance processes to help make data more secure from misuse and information security breaches. It also should to ensure that relevant paperwork, such as privacy policies, data transfer agreements and cookies policies, are in place. The privacy policy should be open and transparent about how the Fintech business collects, processes and transfers personal data. A Fintech business may wish to double check that it holds the appropriate consents to process and run analytics on external big data sets and, if necessary, obtain fresh consent.

Big Data is only going to get bigger so remember the concepts of ‘proper paperwork’ and ‘privacy by design’. Big data and analytics is a rapidly evolving area. It offers a lot of value and benefits for Fintech businesses, but also poses significant data protection risks. These risks are growing as the amount of data companies collect and analyse increases. Fintech businesses should take a structured approach to conducting big data analysis and, in anticipation of the new data protection laws coming into force, get their paperwork in order and make ‘privacy by design’ part of the DNA of their company.

 

Mark Adair will be co-presenting on how the Fintech industry is changing financial services in Ireland and globally at Mason Hayes & Curran’s offices on Barrow Street in Dublin on Wednesday 12 October. Register here.

Mark Adair

 

e: madair@mhc.ie

w: www.mhc.ie/markadair

Mark advises both Irish and international clients on a range of complex technology matters. Mark has a particular focus on the areas of software, cloud computing and fintech. Mark is recognised as a thought leader in the Irish technology law sector and has recently authored a number of articles for Irish and UK technology publications and presented at national industry conferences.

If you would like to have your company featured in the Irish Tech News Business Showcase, get in contact with us at Simon@IrishTechNews.net or on Twitter: @SimonCocking