To Know or Not to Know: The Battle for Data Privacy

Who owns the data? It’s a question repeatedly asked at banks and asset management firms. In the worst cases, it’s a tug-of-war between the various business units and the chief data officer (CDO), and even between the CDO and the chief information officer, if proper lines aren’t drawn between the two positions. Increasingly, though, there’s another battlefront: the clients.

Customers are more conscious than ever that their information is valuable. And with the multitude of headlines about hacks and confidential information finding its way onto the dark web, privacy issues are at the forefront of social, financial and political drama. In Europe, the General Data Protection Regulation (GDPR) has proven to be groundbreaking in its scope and complexity for firms when it comes to compliance. In the US, California and New York have introduced consumer privacy laws that have major tech firms shaking.

There’s more data than ever and that will only skyrocket with the advent of 5G networks in combination with the Internet of Things (IoT). Cloud infrastructures and data lakes have made it easier—and more cost-efficient—to store this sea of information. And new tools like machine learning and natural-language processing make it easier than ever to find correlations and unearth hidden insights. As a result, the capital markets’ thirst for data is insatiable. But standing in the way is the issue of privacy and how the regulators will approach the issue going forward.

At this year’s North American Financial Information Summit, held on May 21 in Manhattan, panelists talked about how they’re approaching the issue of privacy.

Over the last five years, the great effort has been to dump massive amounts of client data in centralized data lakes, said Gangesh Ganesan, president and CEO of PeerNova. “But once everything was brought into the lake, the challenge was privacy issues, governance issues, data jurisdiction issues, [and] ethical issues. What data am I allowed to use? And what data am I not allowed to use?” he said.

At PeerNova, which uses blockchain technology to tackle big data issues, the question developers grappled with was, as financial institutions reach global scales, how can they share data within a single business, but across state and country lines, and therefore legal jurisdictions? The technology they turned to was zero knowledge proofs, a protocol that enables data to be verified across jurisdictions without revealing the underlying content of it.

“People can verify it,” Ganesan said. “They can use it for applications they have, for machine learning. We’re seeing increasingly that data officers and the business units are coming and requesting technologies like that. … Technology is allowing that sharing to happen, and so we think this is going to become very important as both data governance and data ethics become the driving factors.”

Andrew Foster, deputy CDO for the Americas at Deutsche Bank, took things a step further describing his view of the privacy challenge. Tools available today are already effective at masking personally identifiable information (PII) so businesses can comply with regulatory obligations. The issue is actually in figuring out which solution is most appropriate for the bank’s specific needs.

“I think part of the decision-making now is, what is the right solution out of a plethora of solutions that will help advance your path?” Foster said. That is, the path that helps investors and businesses glean the most value from big data, but without breaking jurisdictional privacy rules.

Rather than making a sweeping decision to buy or build, firms will need to be more targeted when it comes to privacy and compliance technology. For example, one of the more interesting and challenging components of GDPR is the so-called “right to be forgotten” clause. While potentially daunting, firms need to conduct a risk assessment when it comes to whether or not to use a third-party tech platform, or whether it can actually be more easily handled in-house.

“Number one, everyone tends to speak to the right to be forgotten. I think an interesting question there is, is that really a risk for your organization? How much effort are you going to put into that? Do you have 16 people a year saying, ‘Please forget me’?” he says, which could easily be handled internally rather than having to spend on a third-party service.

And as we’ve already seen with GDPR and what’s potentially coming down the pike in California and New York, a day of reckoning could soon be coming for how firms decide to use both alternative datasets, as well as how they try to monetize their own internal data.

Firms need to start thinking now at a high level about how they will address privacy challenges, before the regulators force them into these discussions.

The real solution—and it wouldn’t come from technology, per se—lies in making sure clients and consumers are on the same page with the institution from the outset, said Alla Whitston, CDO at CIT. For example, when a customer clicks “I Agree” to the terms of a company’s services, it’s often checked without being read. If firms thought up front about how to present the right ethical questions to clients from the outset, then “I Agree” could be more than a checkmark.

“Do we ask the question, ‘How do you want us to treat your data?’” Whitston said. “Are we ethically asking that question every single time in the right way? Are we thinking about it from the customer’s standpoint? ‘Customer’ is not only about whether we are providing the best service, but are we thinking about them?”