How FinTechs Help Merchants With GDPR Compliance

FinTech

FinTech firms are keeping a pulse on the latest regulations and helping their clients comply with them.

The European Union’s General Data Protection Regulation (GDPR), for instance, went into effect last May, and penalties are just starting to be enforced. The regulation is top of mind, especially for European Union companies, and FinTechs are stepping up to the plate to help their customers comply with its components from a product perspective. Those parts include requesting consent from the user, having data stewardship, maintaining data residency, making prompt disclosure of any breach or breaches in general and honoring the right of the end consumer to be forgotten.

When it comes to requesting consent from users, Modo Chief Product Officer Ryan Lee notes that companies — as technologists — use many tools, which collect personal information. “Some of it is passive,” Lee told PYMNTS.com in an interview, and some are “a little more active.” FinTechs like Modo, however, disclose what technology they use to collect data around product usage (and what telemetry they take in.) They make sure the client can present that information in their privacy policies. That would make them compliant with GDPR concerning requesting consent.

In terms of data stewardship, Lee said, “it’s all about taking ownership” of the data that is collected. Lee says that most payment companies hopefully treat data with high sensitivity. However, he also envisions a second level of ownership. That level is treating data as if it were your data. At Modo, Lee said that “we don’t feel like we own the data.” He added that “we tell our clients any data stored in our system is their data.” Moreover, all the data the company stores is tokenized and encrypted, so they have a higher degree of ownership and protection around it.

Data residency, on the other hand, refers to where the data resides geographically. Companies may have a customer within the European Union and data might have to be reserved in servers in the Euro Zone. Also, with the proliferation of cloud providers such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud, a lot of these companies allow one to position resources in different geographies. To help clients, the FinTech uses Kubernetes, so it is cloud agonistic. So its clients’ data can be stored the necessary way when it comes to regulations.

In terms of prompt disclosure of data breaches, Lee noted that the company has hired a chief information security officer (CISO). His job entails how the company protects information that client organizations have provided it. It’s a fully encompassed role, which includes the internal systems the company uses to its controls it has when it comes to people internally accessing that information. Moreover, it also entails keys, storing those keys and how people internally access information along with the types of security technology that it uses.

Also, when it comes to the right to be forgotten, Lee notes that situations exist where a customer prepares to make a purchase but doesn’t complete it. In that case, data becomes stored, and a customer might want to be forgotten. The FinTech, however, allows clients to initiate a ‘forget this user’ (with some limitations.) If a person has made a purchase, however, it’s not easy to completely anonymize his or her data. Some regulatory requirement of keeping that record on file for a certain period generally exists. The idea is that the company forgets people as much as it can in its systems. Moreover, it allows the removal of their data as much as permitted when it comes to regulations.

By keeping an eye on the latest developments in the regulatory landscape, FinTechs are aiming to help their clients comply with rules such as GDPR and its different components.