Like any new technology, the internet (which constantly introduces new technology) has unintended consequences….
As the internet has evolved from an information sharing medium to the center of commerce, banking, finance, and communications, it has both introduced new and more convenient consumer mechanisms and created new and more dangerous consumer threats. The necessary regulations and consumer protections are lagging in most cases and completely absent in others.
As new regulations are being developed, new technologies are also being developed to facilitate adhering to those regulations. Advanced cryptography and the firewalls around “what you need to know” enable new regulations to be met while providing flexibility in workforce and service deployment.
The European Union has been one of many jurisdictions introducing new regulations to protect privacy. The General Data Protection Regulation (GDPR) was adopted on April 14th, 2016 and became enforceable on May 25th, 2018. It is a comprehensive regulation that both defines protected personal information and regulates how it is protected and used. Compliance required in order to do business in the European Union has many facets. The four briefly described in this blog are:
- Highlights of personal protected data
- Responsibilities of protected information “controllers”
- Responsibilities of protected information “processors”
- Data residency implications
It is worthwhile highlighting how GDPR defines personal data. Article 4 defines personal data:
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
GDPR also defines special classes of personal data that are prohibited from processing without specific conditions being met. Article 9 defines special categories of data:
“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
A GDPR “controller” is any entity or system that has direct access to personal data. Note that controllers are much more than this but for the purposes of personal data protection, this access is a most important factor. Article 24 of GDPR defines the responsibilities of the controller as follows:
- Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
- Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
- Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.
This could be summarized as a controller has a fundamental responsibility to protect personal data and to use it in acceptable and prescribed ways. Responsibilities and liabilities are further described in subsequent GDPR articles.
A GDPR “processor” processes personal data on behalf of the controller. The data processor is usually a third party external to the company. This could include transport of this data and the use of sub processors to perform certain functions. Adherence to GDPR regulations requires certain responsibilities from processors. Article 28 describes them this way:
- Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
- The processor shall not engage another processor without prior specific or general written authorization of the controller. In the case of general written authorization, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
- Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. “
In general terms, all requirements for data protection that are the responsibility of the controller must also be adhered to by processors and sub processors.
From a data residency perspective, GDPR does not explicitly state that data must remain resident in the country of origin or even within the EU. Note that in some cases, national laws may require this, but they are generally supplemental to GDPR. What is mandated at the EU level is that all personal data must be protected at the same level regardless of where it may reside either temporarily or permanently. Within the EU (national regulations aside) this is generally not an issue since all EU member states adhere to the GDPR regulations.
Data residency becomes more complex when services (or processors or sub-processors) outside the EU are employed. If personal information is transmitted or processed outside the EU, the local protection must be qualified to prove that it lives up to EU standards. In fact examples like the EU-US Privacy Shield which governs transfer of personal data between the EU and the US was recently (in 2020) found invalid by the Court of Justice of the European Union (CJEU). It was not found to protect personal data to the extent required by GDPR.
Given this example and the many other privacy laws being enacted at both state/provincial and national levels around the world, what can be done to simplify the exchange, verification and transfer of personal data? New technology, in the form of Zero Knowledge Networking provides mechanisms to simplify protection and extend services outside of approved regions. This is accomplished by not sharing the personal information in the first place with un-qualified processors. This has particular applications when dealing with contact centers or digital services.
In a Zero Knowledge Network (ZKN), the flow of personal information can be tightly controlled to avoid exposure to un-approved entities. For example, a contact center agent does not need any personal information to verify a caller identity. This is accomplished through a verification process within the controller’s (bank, travel service, ecommerce site etc.) environment. The agent would only get a check mark to indicate that verification has taken place. Further, the transport of the personal information from the customer to the controller is also encrypted in such a way as to make it invisible to the network transport itself.
The generalized design of a ZKN enables a plethora of transactions to take place without exposure of customer’s data. Examples include:
Payments: payment information is carried from the customer to the payment processor without ever being seen by an agent. Agent gets an authorization code when the payment is validated.
Terms and conditions: documents go directly from the controller (bank, ecommerce etc.) to the customer. The agent is only informed when the document is completed and signed off.
ID verification: ID information goes directly from the customer to the ID processor/verifier. The agent is informed if verification was successful or failed.
Document Verification: Document collection and transport directly to the controller and acknowledged to the agent upon successful completion.
Caller Authentication: all forms of caller authentication can be achieved without the involvement of the Agent.
In all cases, information is transported to the controller or the processor encrypted using public keys specific to the recipient of the data. Nothing is in the clear or can be “seen” by the ZKN.
This enables tremendous flexibility in terms of agent location. Agents can be located in their kitchen, where ZKN enables a “clean Screen” environment that does not expose personal data to the agent. They could alternatively be located in lower cost regions while meeting the stringent requirements of regulations like GDPR.
For more information, demos, videos etc, I would encourage a visit to www.JourneyID.com.