Lessons from the GDPR compliance journey of a large financial services organisation

Written by FinTech Futures
20th July 2017

Angsuman Dutta, Pricchaa

In preparation for the General Data Protection Regulation (GDPR) compliance, a global financial services organisation embarked on a journey to assess its core information processing environments with the objective of identifying opportunities to strengthen its privacy data protection programs.

This article focuses on the technology challenges, approach, and lessons learned for the centralised testing environment.

Situation

Like many DevOps groups across the industry, this financial organisation has adopted both continuous testing and quality testing regime to deliver quality products leveraging agile methodology.

The organisation prefers to use production data to prepare the test data. While majority testing is primarily be done by an internal team, certain applications are tested by outsourced offshore teams.

The test environment is fairly complex comprising Oracle, Hadoop (Parquet files), Hive, Cassandra, MS SQL, SAS, Linux-based system. Incremental data volume varies between ten million to 15 million records on weekly basis. Certain major releases of big data based applications require up to 5 GB data (~75 million records).

Challenges

To comply with GDPR and prevent privacy data breach events, the testing team needed to detect and de-identify the personally identifiable information (PII) element. If they use available de-identification methods of leveraging product specific encryption technology, such as MS SQL encryption etc, much of the data becomes unusable for testing for the following reasons:

current methods scramble the data and make data unusable;
current methods do not preserve any referential relationship between various data sources.

If they choose to mask the data, they are challenged with similar challenges. For example, if they want to test an application that calculates the end of month summary balance of a customer account using an Oracle data source and Hadoop data source – they would not able to use the data encrypted using available technology.

In addition, PII information often appears within comments and description fields – encryption or masking of the entire field would result in loss of important information.

More importantly, data encryption using available methods are computationally time-consuming and requires large hardware infrastructure.

Approach

The organisation identified the following solution criteria to mitigate the challenges identified during the assessment:

Autonomous detection

Leveraging a centralised library, a solution should examine all incoming data including embedded documents for the presence of PII elements. Solution should also be using machine learning techniques to classify sensitive documents present in big data repository.

Format preserving encryption

Based on the type of PII data and preference of the user, the solution should encrypt the data elements in three following three modes:

1) blind mode: it should encrypt data element if the data element matches a specific regular expression;

2) column mode: it should encrypt the content of a specific column or a field;

3) mixed mode: it should encrypt the data elements within a specific column if the data element matches a specific regular expression.

Cross-platform referential integrity

Solution must be able to retain referential integrity between records across platforms.

Big data volume

Solution should be able to detect and encrypt sensitive data in 100 GB of data in less than one hour using commodity hardware.

Data usage monitoring

Solution should be able to record and retain information all privacy data usage for audit and compliance. In addition, the solution should be able to identify abnormal data usage leveraging machine learning.

Lessons learned

Understand business and technology landscape

It is imperative to understand the current technology landscape, business practices and emerging trends. If your technology platform and domain is monolithic today – do you expect it to remain monolithic in near future. What would be the impact should you move some of your testings to a cloud platform? What about big data applications?

Evaluate risks

Assess data security risks through the lens of GDPR and beyond. In addition to the PII and protected health information (PHI), most organisations deal with a number of sensitive data that may not be associated with an individual. How to you detect, encrypt and monitor other types of sensitive data such as B2B contract information in your testing environment?

Beyond retrofitting

Define the ideal solution characteristics prior to evaluating solutions. Retrofitting a solution to meet your business needs is often time-consuming and costly.

By Angsuman Dutta, founder of Pricchaa Inc

Fintech Jobs

Intesa Sanpaolo is the eurozone’s leading bank for shareholder value creation

20th November 2024

Analysis

Lessons from the GDPR compliance journey of a large financial services organisation

READ NEXT

Leave a comment Cancel reply

Fintech Jobs

Related Content

Top stories

The hottest news this week

Media Packs

FinTech Futures Media Pack

FinTech Futures Sibos Media Pack

Webinar | 27 November 2024 | EMEA fintechs: unlock innovation with generative AI with AWS and NVIDIA

Webinar | 28 November 2024 | AI in financial services: Navigating the evolving regulatory landscape

Research report: Revenue enablement in financial services – 2024 global findings & insights

White paper: How AI is propelling innovation in financial services

Global survey report: Privacy in practice 2024

White paper: Cyberattacks in the financial services industry

E-book: The promise and peril of the AI revolution – managing risk

Report: It’s prime time for real-time 2024 – real-time payments adoption and growth around the globe

Banking Technology Magazine November 2024 issue out now

Upcoming events

Banking Tech Awards 2024

PayTech Awards USA 2024

Banking Tech Insights

What the FinTech? | S.5 Episode 21 | Taking open banking payments mainstream

Demystify Podcast: Demystifying legacy modernisation with Irene Sandler, CMO of Mechanical Orchard

What the FinTech? | S.5 Episode 20 | The future of fraud prevention – live at Money20/20 USA

What the FinTech? | S.5 Episode 19 | Driving growth and customer satisfaction in digital banking

Video: Experian at Money20/20 USA 2024 – Combining GenAI and rich data to drive innovation

Video: WorkWave at Money20/20 USA 2024 – Driving growth for field services companies

Video: Codat at Money20/20 USA 2024 – Innovation in B2B payments

Video: Form3 at Money20/20 USA 2024 – The evolution of instant payments

Video: DailyPay at Money20/20 USA 2024 – The growing demand for earned wage access

Sibos 2024 Content Hub – news and coverage from Beijing

Content Hub: Banking Tech Awards 2023 winners

FinTech Founders Video Series: how to build and run a start-up

V INVESTOR ALERT: Robbins Geller Rudman & Dowd LLP Announces that Visa Inc. Investors with Substantial Losses Have Opportunity to Lead the Visa Class Action Lawsuit

Coverdash Partners With LendingTree to Launch Its First-Ever Insurance Offering for Startups and SMBs

iCapital® Expands Model Portfolio Suite to Provide Exposure to Fast-Growing Private Companies

CSI Customer Consumers National Bank Celebrates 377% Growth Over 16-Year Partnership, Breaks Ground on 22nd Branch

Telness Tech partners with Lebara to Launch New Mobile Operator in Nigeria

Intuit Launches AI-Powered Intuit Assist for QuickBooks, Giving Millions of Businesses a Competitive Edge

Intesa Sanpaolo is the eurozone’s leading bank for shareholder value creation

Sensedia’s Open Finance Platform Recognized as API Specialist by Altitude Consulting