Interview by Marlene Schloffer, RBI
Daniela Bollmann, data protection officer at RBI, about her job, why she is proud of GDPR, what kind of data banks collect, how the customers benefit from this and how to prepare for and respond to a data breach.
- What is the purpose and goal of a data protection officer and a data privacy office?
In RBI, of course, we follow the rules of the General Data Protection Regulation (GDPR). Thus, we have installed a Data Protection Management Office. Its function includes implementing and managing the GDPR on behalf of RBI, national laws and other rules and regulations, external or internal, relating to data protection. This means, for example, the implementation of data protection rights, recording of processing activities, execution of Data Protection Impact Analysis, Trainings etc.
The tasks of a data protection officer are to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the GDPR, to monitor the company’s compliance with GDPR and with other Union or Member State data protection provisions, awareness-raising and training of staff and to provide advice regarding the data protection impact assessment and monitor its performance. A main function is also to cooperate with the supervisory authority and to act as their contact point.
- What is the difference between data privacy and data security?
Whereas data privacy is implemented through a set of policies and procedures designed to safeguard the privacy of data, data security involves the use of physical and logical strategies to protect information from data breaches, cyberattacks, and accidental or intentional data loss. Examples of measures for ensuring data security include resilient data storage technologies, encryption of data, physical and logical access controls that prevent unauthorized access and data masking. Specific techniques include multi-factor authentication, multiple layers of access control at the network and application layer, and the detection and isolation of unauthorized devices as soon as they attach to a network. Regular backups and tested disaster recovery plans are also a big part of data security.
- Regarding data privacy: Which laws and regulations exist?
Over 80 countries and independent territories, including nearly every country in Europe and many countries in Latin America and the Caribbean, Asia and Africa, have now adopted comprehensive data protection laws. In Europe, the General Data Protection Regulation (GDPR) came into force on 25 May 2018. It is the core of Europe’s digital privacy legislation. GDPR applies to any organisation operating within the EU, as well as any organisations outside the EU which offer goods or services to customers or businesses in the EU. GDPR aims to simplify the regulatory environment for business purposes, so both citizens and businesses in the European Union can fully benefit from the digital economy. As a fervent European, in my opinion we can be proud to have – in GDPR – the strongest and most modern data protection rule in the world, which is becoming a global standard. This is also confirmed by the recent adoption of our mutual adequacy findings with Japan. Different to other data protection laws, the GDPR empowers people and gives them more control over one of the most valuable resources in modern economy. Personally, I would not want to live in an area, where the personal data sovereignty is in the hands of a couple of companies or property of a state. Despite all my enthusiasm, I have to admit that there is still room for improvement. Mainly due to the fact that GDPR is a “young” law I hope some “teething troubles“, e. g. the uncertain situation concerning EU Standard Contractual Clauses for Data Transfer to the US, will be solved on a general level in the near future. Generally, I hope that the Data Protection Authorities will enforce general and clear rules and improve the coordination of their actions in the European Data Protection Board to guide companies and citizens.
- Which data is collected by banks and why?
According to the General Data Protection Regulation, there is an obligation to inform the customer about which data is processed within a company, for which purpose, storage duration and with whom data will be shared. This information is provided by each company, usually on their website. For financial institutions this mainly corresponds to customer data (transaction data, master data, credit data, etc.), personal data and supplier data. It is important to know that data given by a customer cannot be used for another purpose. There are legal restrictions set by the local banking laws, but also according to GDPR, the so-called “purpose limitation”. This means that if the data collected is processed for a purpose other than that for which it was collected, this is a violation against GDPR and also a violation against the Banking Act in some countries, e. g. in Austria. Therefore, one has to check very carefully the purpose for which the data was given. If a use of data for a different purpose is wanted, a new legal basis is required.
- How can the customers benefit from data collection?
Innovative companies can generate advantages through data collection and data analysis by offering new products and services earlier than their competitors. It marks a huge opportunity to enter the market with more competitive and better products. I believe that the modern customers are also becoming increasingly demanding and ask not only for digital services but also for first-class advice, services etc. in a so called “omni-channel”, for which – from a financial services point of view – the Payment Service Directive II has defined the preconditions to enforce competition. But this requires data processing, analysis and evaluation of the data within the whole company. It is not enough to sit on a mountain of data, one has to evaluate it intelligently. But since local banking laws and the GDPR set limits for comprehensive data use, also if the result would be an advantage for the customer, financial institutions must ensure that the processing is done based on legal ground as required by GDPR. It is my believe that the more the added value of using customer data is explained to the customers, the more likely they will agree and give their consent if there is no other legal ground for processing. The modern customers know their data is of value for the company, but they also understand that companies can offer tailor-made and optimised products by evaluating the customer’s data, which is of great beneficial impact.
- This month, on Discover CEE we’re focusing on data and cloud. How did the technological change affect data privacy and data regulations? Can one see a clear change induced by the cloud?
The practical importance of cloud services is increasing in Austria and CEE; about half of the companies in the Austrian financial sector already use cloud services, and by 2021 this figure will be almost two thirds, according to a study by the Financial Market Authority published in 2019.
Cloud service providers such as Google and Amazon, which have clear competitive advantages due to their large market share, should be treated with caution. After all, since the failed Safe Harbor Agreement and recently the failed US-EU Privacy Shield and the uncertainty of EU Standard Contractual Clauses in third party countries, it is clear that US data processing companies can hardly comply with the data protection regulations of European Member States.
Therefore, RBI prohibits the implementation of cloud service providers for personal data storage in the USA and in case of European Cloud Providers with parent companies in US (e.g. Microsoft, Amazon) technical and contractual safeguard mechanisms have to be in place. Because one has to bear in mind that access by the USA government to data, also stored in Europe by a European Cloud Provider with a parent company in US, cannot be totally excluded due to the US Law “Cloud Act”.
I very much appreciate that Europe is now addressing the issue of a European cloud in order to provide an independent cloud solution despite the US Cloud Hyper Scalers. In Austria, for example, we are tackling this issue in the initiative “Team Austria Cloud” and on European level the Gaia X Project on which RBI is cooperating. I think the further development of the current cloud solutions to intelligent cloud solutions is unstoppable and the future lies in multiple devices which share data in real time – all of it will be funneled into the cloud, where smart management will offer the cloud’s intelligence to the consumer. Therefore, we must insist on compliance with data protection principles now.
- How is the current situation in CEE?
The EU GDPR is directly binding in all EU Member States. However, numerous so-called “opening clauses” (more than 70 in total) offer the legislators of member states the opportunity to put in terms supplements or to modify the GDPR through their own legislation. Accordingly, further legal bases have been created in various countries. In Croatia, for example, the provisions of the GDPR were enshrined in a law “ZAKONO PROVEDBI OPĆE UREDBE O ZAŠTITI PODATAKA – NN24/2018″, Slovakia created a new law to implement the guidelines of the Basic Data Protection Regulation and in Austria the national “Data Protection Act DSG” was enacted.
- What advice you would give a data protection officer to prepare for and respond to a data breach?
First, have the courage to take immediate action when you are informed of a data breach, even if it means shutting down an important system. The longer the data breach persists, the more tedious are the data mitigation measures, the justification to the authority and the higher the fine.
My second advice is: GDPR is a probation law subject to permission. But where there is a will, there is also a way to find a solution which fits for the data processing requirements of the company but also complies with GDPR and secures and ensures the rights of a data subject.