Privacy by design in the FinTech sector: a differentiating value

Privacy by design in the FinTech sector: a differentiating value

It’s very probable that you have heard about the concept of “Privacy by design” on some occasion. However, even though it is a concept on which much has been written and reasoned over the years, it still is a really interesting idea and a differentiating value for many organizations . 

Its ideation is the result of the work of Ann Cavoukian, who as a Data Protection Commissioner began to study around this concept, which she shaped over the years, until its culmination in 2009 with the presentation of Privacy by Design: The Definitive Workshop”, to whom we therefore oew this interesting approach related to privacy. 

Workshop”, to whom we therefore oew this interesting approach related to privacy. 

To start talking about privacy by design, we must say that it is a concept of great importance, included in the General Data Protection Regulation (GDPR), and more specifically, in its recital 78 and article 25. 

In general, it means to use an approach based on risk management and proactive responsibility, so that the organizations incorporate strategies to guarantee the protection of privacy throughout the life of their object, 

Therefore, the idea is that privacy is a constant in the life of the organization, and that it always accompanies it in all the stages of the company. In this sense, it means that privacy will be a constant, a permanent companion, an essential part of the organization, which will guarantee privacy protection at all stages. 

This general idea is also accompanied by a series of principles that establish privacy by design, which we will talk about later. 

Privacy by design is an approach in which the organization is taking privacy into account in all its stages, and can therefore achieve key security and business development that is respectful of the most fundamental principles in the privacy area.  

For all of these reasons, we shall not be surprised that it is a differentiating value. And as you may have read at the beginning of the article, we have said that it is especially so for the FinTech sector, but why? 

One of the main reasons for this is because of the confidence it can generate in consumers. We commented in a previous post about the use of IA and its implication with data protection in the FinTech sector that these types of companies can manage and process a large amount of  sensitive data, such as payment information. In this sense, it is very important for them to comply with the GDPR, since it requires data being processed in a lawful and transparent manner, regarding the article 9 and the special categories of data. And not only that. FinTech companies can have a huge impact on people’s daily lives, especially when we come across a data breach. For their clients, trust is not only important: it is everything. If customers can’t trust FinTech companies with their data, they will simply disappear.

Concerns around privacy are becoming more and more common in the FinTech sector, and if we said that privacy by design aims to make privacy a constant in the life of the organization, we can understand why it is a key and differentiating factor for them. Also, this concept can be applied to the systems, structures or software used by the organization, which will result in an assurance that the privacy of the users is not compromised.

Privacy by design principles and their practical implementation

Once we have been able to understand the concept of Privacy by design and exposed the crucial relationship it has with the FinTech sector, we must now delve into defining its fundamental principles and how it is carried out in practice. 

We must remember that the General Data Protection Regulation refers to this concept, when it says in its Recital 78 that “in order to be able to demonstrate compliance with this Regulation, the data controller must adopt internal policies and apply measures that comply with in particular the principles of data protection by design and by default”.

In addition, its article 25 called “Data protection by design and by default”, also establishes a key regulation of this important approach to privacy, specifically referring to security measures.

Once we have analyzed where it appears regulated, we can establish the following principles of privacy by design, and some recommendations to comply with them:

1. Proactive, not reactive: preventive, not corrective. Anticipate threats, a commitment to privacy, detect deficiencies quickly and effectively. 

2. Privacy as a default setting. Establish criteria that respect privacy, specific guarantees for it, so that the user does not need actions to protect their privacy. 

3. Privacy built in at the design stage. Privacy must accompany the organization throughout all its phases, being a vital part of it. 

4. Full functionality. Finding a balance between the privacy of users and the interests of the organization, and understanding that when solutions given could lead to privacy violations, it’s needed to study new alternatives that are more respectful for the user’s privacy. 

5. Assurance of privacy throughout the life cycle. Implementation of techniques that ensure privacy at all times, such as anonymization of data encryption.. 

6. Visibility and transparency. Being able to demonstrate compliance and being transparent about what data is collected, used or processed, and promoting it with privacy policies, information clauses or effective communication. 

7. Respecting user’s privacy. Active role of the users to have access to their data, so the processes and operations make data protection effective. 

Therefore, important principles such as data minimization, integrity and confidentiality, proactive responsibility or transparency must be guaranteed.In conclusion, privacy by design is a truly valuable asset for companies (especially for those in the FinTech sector to guarantee privacy at all times, adopting measures that contribute to it, always from the early stages and throughout all the organization life. Adhering to the principles set forth above and implementing privacy practices that are effective will be key for most companies.