An unprecedented number of online businesses collect and store massive amounts of user data. What can they do to keep it protected? Kristina Drigotaitė, Head of Risk at ConnectPay, talked to us about what businesses should know about data protection, how to minimize data breaches, and why it makes sense to collect as little data as possible.
What should every online business know about data protection?
It’s very important for every online business, no matter how big or small, to understand what personal data is and what it encompasses. On the surface, personal data includes identity information, contact information, financial information, online account information, location data, communication data, web browsing history, social media data, health and medical data, biometric data, and app and device usage data. In an increasingly digital world, users are sharing more of this data with different companies.
Where does this leave companies? First of all, online businesses should understand basic regulations related to personal data protection they need to comply with. But it’s also important to have the right mentality. After all, being on top of data protection rules is not only about compliance – it’s also about establishing and maintaining the trust of your clients.
And this advice is valid for online businesses of any size, right?
Definitely. I think that a certain level of attention and awareness about the importance of protecting personal data is relevant for every single online business. And there’s hardly an online business that doesn’t collect any personal data.
In any case, transparency goes a long way. You have a direct connection to your users, or how they’re called in this context – “data subjects”. Being transparent and open about what data and for which purposes and for how long you’re collecting and keeping – all of this needs to be presented in an understandable way to the end user.
Even if the data is publicly available elsewhere?
Even then. If the end user shares any data with me, it doesn’t mean that I can use it for whatever I want.
Is data categorized by its sensitivity?
The term “sensitive personal data” encompasses data on a person’s political views, religion, orientation, biometrics and the like. It’s more sensitive than, say, an email address, so GDPR regulates it more strictly.
What’s your advice for online businesses dealing with such data?
As an online business, you always need to properly justify your need to collect personal data. You must dedicate sufficient time and resources to crystallize and understand what personal data you need, for what purposes, and what legal ground you have to actually process it. Here, minimization is key – collect as little as possible. And when you decide to collect and process data so you can provide the best product or experience for your end user, be fully ready to explain what legal ground you have to process it, and to prove what you use this data for. For instance, if you collect my ID details to verify my identity as the law obliges you to do, you can by no means use the same data for marketing or other unrelated purposes.
Another important thing is setting up a retention period for any data processing activity. No personal data can be processed or kept forever. Data must be stored only for as long as you need it to achieve the goal you set for it initially. Once that’s done, data must be deleted. This is often left for later by businesses that are establishing operations. Yet if you don’t follow the Privacy by Design principles, and don’t set the right foundations from the start, it may be a hassle to implement and ensure retention periods for various sets of personal data further down the line.
Is GDPR the only set of regulations that online businesses should be aware of?
GDPR is a regulation that protects the rights of EU citizens. Even if a business is located outside of the EU but targets and collects personal data related to people in the EU, it must comply with GDPR. And, of course, GDPR is not the only regulation businesses must comply with. GDPR is simply stricter than a lot of local regulation, and that’s why in some countries, people take it as a standard. But every single country may have internal local regulations addressing data privacy. So compliance depends on the market a business is targeting and on the geography where its clients are located.
Are such companies as neobanks under more scrutiny when it comes to data protection? Or is everyone operating in the online space more or less on an equal footing?
I think the obligations are the same. For licensed financial institutions, it actually might even be easier to justify collecting a big portion of data, because, for example, AML laws oblige them.
The other thing that distinguishes neo banks is their complexity. As platforms, neobanks might have a great business idea, but not the technology or license to execute it. So they might partner with licensed entities, or use other vendors and third-party subcontractors to outsource the technological solution. This means that neobanks often have third parties involved in the setup of their business model, and partners that provide some portion of the services.
This makes data protection quite complex, because regulation states that you need to be very clear about the responsibilities of different parties. Some parties might have a legal ground to collect data while others might not. Even when data can be shared between parties, it automatically creates additional exposure.
That’s why when building a platform, from the very beginning you need to think about personal data, who you’re going to share it with, and who’s going to own it. And based on that, you need to figure out how the data is going to be passed on from one party to another. You must also have proper data processing agreements with them, ensure ongoing oversight, and be transparent with your data subjects about transferring their data to third parties.
Is there a way to ensure that, in the case of a data breach at the third party company that handles the data of my customers, I’m not legally liable?
I wish I had a magic solution to this problem. However, when an online business is the data controller by law – the one that defines what personal data needs to be collected, why, and so on – but has contracts with third-party service providers that process that data, this business is liable even if a partner data processor messes up or something goes wrong. As a data controller, it can’t dodge responsibility, because it was the one that chose the service provider and contracted them. Both parties are responsible.
Of course, the liability might be minimized if you draw clear lines and define clear roles and responsibilities in relation to data, and if your partner, acting as a data controller, is solely at fault when something goes wrong. But with neobanks, I’d say that this is very hard to distinguish. Because in the eyes of the end user, it’s one platform – it’s a package of solutions that they give their data to. So while it’s important for the platform to provide information about sharing data with third parties, it doesn’t protect it from liability. If your close partner, who provides services for your platform, experiences a data breach, your business is going to suffer reputationally. And reputation is a thing that can cause a lot of damage. Ultimately, it’s not solely about the fines.
In most cases of data breaches, we usually hear about thousands and even millions of users’ data leaking. Are there ways of minimizing the scope of data breaches, so that if a breach happens, only a fraction of users is impacted?
It really depends on the operations of a specific company, what kind of data it collects, and what it does with it. But a way to minimize data breaches is the initial risk management, that is, proactively putting certain measures to protect data when starting the business. That might involve strong data access controls, data encryption, high software privacy standards and other technical information security measures.
The other side is the organizational measures you need to address. Training is important, because there are plenty of risks to data security that involve social engineering. Human error accounts for a massive share of data breaches, so it’s crucial to provide proper training to ensure that employees have clear responsibilities and can only access the data they need. Other organizational measures might include setting up information security policies and procedures, as well as a clear process for responding to personal data breaches; clearly defining roles within the organization; ensuring proper change management, and others.
Even if no funds are laundered through your neobank, but your AML setup is sloppy, you can still get fined. Is it the same with data protection? Can you get audited even without experiencing data breaches?
You can. Luckily, in every country there is a Data Protection Authority, and they must oversee how businesses handle personal data. And if you look at the predefined inspections of the State Data Protection Inspectorate in Lithuania, they target a lot of different industries and don’t simply follow data breaches.
But if there’s a breach, you must report to the SDPI within 72 hours, stating very explicitly what happened, why it happened, what you did, what preventive measures you can take, and so on. Sometimes it can lead to an investigation, as in the case of CityBee.
Another important thing is complaints. If you’re not transparent, if you’re misusing the data, if you’re not able to ensure the rights of the end users, or if you’re neglecting their questions, they might complain directly to the regulator. This might also trigger an investigation.
Whether a breach happens or not, maintaining a good relationship with the regulator is very important, right?
Yeah. Because that’s what we want to do with all the regulators, right? We want to be open to their questions, to be cooperative, to follow our obligations by law, and to really respect data privacy and the customers that we’re working with.
How do regulators help companies follow data protection rules?
They provide guidelines and clear interpretations of GDPR. I’ve participated in multiple training sessions for the private sector with the Lithuanian regulator. And if you’re planning change in your company, such as adding new products or technologies, and it involves processing personal data, you need to assess risks. In cases when the risk assessment you conduct reveals quite a significant exposure even with a number of mitigation controls applied, you can always go directly to the regulator and consult with them on specific data processing activities.
Do companies regularly check their databases for user data they can delete, for instance, when a client hasn’t used their service for a long time?
That’s something that must be defined upfront. No company can use personal data of a specific individual forever. For whatever data processing activity that the company collects personal data for, they must set a specific time frame when that data needs to be deleted.
If you’re a financial institution and you onboard clients, there are certain legal obligations – law says that you need to keep a user’s data for eight years, even after your contract with the user ends. But then, if you wanted to become a customer, but you never did – for example, you withdrew your application or just sent some queries but then changed your mind – the financial institution couldn’t justify keeping your data for eight years. It would need to delete that data much, much earlier.
What are the rights of users when it comes to data? Do you have the right to inquire about what data the company holds, if you can change it, or have it deleted?
Yes to all of these. You can also ask, for instance, for your data to be transferred from one company to another. There are more rights, just not all of them are executed very often yet, because not all users understand and know their rights.
What’s to note here is that sometimes people feel that they have the right to ask anyone anywhere to delete the data. That’s not really the case. If a business has a legal ground to keep the data, they might not fully address that request. For example, as a financial institution, I need to keep your data, but you’ve asked me to delete it. I will delete all the data of our communication, for example, but keep the core data that is required by legislation. Yet online businesses must respect and adhere to the rights of data subjects, and respond to their concerns in a timely and respectful manner, providing all required justifications for why, for example, certain data cannot be deleted. After all, data subjects also have the right to complain directly to the regulator.
