Following the success of the Data Protection in the Financial Services Sector conference, last October in central London, Michiel Willems spoke to one of the key speakers, Alfredo Della Monica, Counsel at American Express and responsible for the company's data protection issues in Europe, Africa and the Middle East.
Alfredo, what are the biggest challenges financial institutions are facing at the moment?
The transfer of transaction data is certainly the key issue. For example, the SWIFT case a few years ago raised the attention of all the relevant stakeholders. More broadly, the economic backdrop in many markets makes for a particularly challenging operating environment.
Financial services firms operate, increasingly, across borders and jurisdictions. Is it still possible to control which data flows where and which laws govern what information?
Financial services firms operate, increasingly, across borders and jurisdictions. Is it still possible to control which data flows where and which laws govern what information?
Certainly, it is quite difficult, but it is possible to establish appropriate controls. In my view, if you really want to manage data protection in your firm, you have to think 'what, where, how' about your data every single day.
What are the main practical issues the industry is facing at the moment in relation to data transfers?
The length of the binding corporate rules (BCRs) process, as well as the impracticality of the standard contractual clauses.
Can you tell us a bit more about model contracts and BCRs? What is their importance - from a data protection point of view - for the industry?
Model contracts would be the preferred solution but they are unmanageable, as you need one model contract for each transfer and one model contract for each controller/processor. That would mean millions of model contracts if you are a global company. The BCRs are therefore the only real solution, but it would be helpful if the authorities could speed up the approval process. This may encourage firms to go for this option.
I believe that a strong compliance program would be enough to monitor the different regulatory requirements in all the relevant jurisdictions. And, most importantly, I would suggest setting a baseline of standard requirements, having in mind the provisions of the EU Directive as many countries in the world adopt those as standards.
Why are banks and other financial institutions regularly in the news regarding data breaches and issues with data management?
This is an issue which affects all companies entrusted with customer data, particularly in today's digital economy. That is why the proposals being drawn up by the European Commission are so important, and why the industry must work together with regulators to achieve a framework which helps consumers while also being workable for businesses.
Do you think cloud computing has added an interesting dimension to the data protection debate?
It could, but in practice it is still too early to comprehensively evaluate the implications of cloud computing.
The responsible management of customer data should be good business practice for all companies. Regardless of how a sanctions regime is structured, it should not be a primary motivator for organisations to act as responsible data custodians.
Many thanks for your time, Alfredo.
Thanks for the opportunity.
Michiel Willems © 2012 CP Publishing Ltd. London, UK. Picture: CP Conferences 2011.