Types of Fintech Data and Data Privacy

What is privacy?

• Privacy enables us to create barriers and manage boundaries to protect ourselves from unwarranted interference
• Privacy helps us establish boundaries to limit who has access to our bodies, places and possessions, as well as our communications and our information

What is data protection?

Data protection seeks to protect people’s data by providing us with rights over our data, imposing rules on the way in which companies and governments use that data and establishing regulatory oversight to enforce the laws.

What is GDPR?

The General Data Protection Regulation (GDPR) is the key legislation governing privacy in the European Union and the European Economic Area (EEA).

What is a controller?

A controller is a physical or legal person that determines the purposes for which and the means by which personal data is processed.

When do you become a controller?

You automatically become a data controller if you decide to do one of the following five things:

1. Collect/process personal data
2. Decide what the purpose/outcome of the processing should be
3. Decide what personal data should be collected
4. Decide who to collect personal data about
5. Have a direct relationship with data subjects

What is a processor?

A processor processes personal data on behalf of the controller. That is to say, it only does what it is told to do by the controller.

What is anonymised data?

Anonymised data is data that does not relate or identify a person. The GDPR does not apply to personal data that has been anonymised.

What is pseudonymised data, and what are its advantages?

Pseudonymisation may involve replacing the names or other identifiers which are easily attributed to individuals with, for example, a reference number.

Advantages:

• It can potentially be out of scope of certain data subject access rights
• It demonstrates a data protection by design approach, and that you are implementing appropriate security measures expected of a data controller
• It reduces the risk to individuals in the event of a data breach - reducing the risk of notification

What is the difference between a controller to controller transfer and joint controllership?

• Controllers are the main decision makers - they exercise overall control over the purposes and means of the processing of personal data
• If two or more controllers jointly determine the purposes and means of the processes of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes

What is the advantage of a controller to controller transfer?

• Multiple data controllers can transfer personal data between themselves either as  joint controllers or independent controllers
• The principle of purpose limitation dictates that personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”
• Agreeing contractually-binding restrictions in a data-sharing agreement will help both parties comply with their obligations under GDPR
• Choose a data transfer mechanism: use binding corporate rules or the model controller-controller clauses to help define the purpose

What is data portability, and when does it apply?

The right to data portability gives individuals the right, in certain circumstances, to receive personal data they have provided to a controller, and to request that a controller transmits this data directly to another controller.

The right to data applies when:

1. When the lawful basis for processing this information is consent or the performance of a contract
2. When processing is being carried out by automated means

What are the rules surrounding data portability?

• Requests may be made verbally or in writing. They may be made to any part of the organisation and do not have to be to a specific person or contact point
• In most cases, you cannot charge a fee to comply with a request for data portability
• You must comply with a request for data portability without undue delay, and at the latest, within one month of receipt of the request