Following the success of the Data Protection in the Financial Services Sector 2011 event, in central London, on 12 October, Michiel Willems spoke with one of the key speakers, Alfredo Della Monica, Counsel at American Express and responsible for the company's EMEA data protection issues.
Mr Della Monica, what are the biggest challenges financial institutions are facing at the moment?
The transfer of transaction data is certainly the key issue. For example, the SWIFT case a few years ago raised the attention of all the relevant stakeholders. More broadly, the economic backdrop in many markets makes for a particularly challenging operating environment.
Financial services firms operate, increasingly, across borders and jurisdictions. Is it still possible to control which data flows where and which laws govern what information?
Certainly, it is quite difficult, but it is possible to establish appropriate controls. In my view, if you really want to manage data protection in your firm, you have to think 'what, where, how' about your data every single day.
What are the main practical issues the industry is facing at the moment in relation to data transfers?
The length of the binding corporate rules (BCRs) process, as well as the impracticality of the standard contractual clauses.
Can you tell us a bit more about model contracts and BCRs? What is their importance - from a data protection point of view - for the industry?
Model contracts would be the preferred solution but they are unmanageable, as you need one model contract for each transfer and one model contract for each controller/processor. That would mean millions of model contracts if you are a global company. The BCRs are therefore the only real solution, but it would be helpful if the authorities could speed up the approval process. This may encourage firms to go for this option.
What is your advice to banks and financial services firms on deciding between model contracts and BCRs?
I would definitely recommend going for BCRs.
When financial services business operate internationally, or globally, how should they manage the different regulatory requirements?
I believe that a strong compliance program would be enough to monitor the different regulatory requirements in all the relevant jurisdictions. And, most importantly, I would suggest setting a baseline of standard requirements, having in mind the provisions of the EU Directive as many countries in the world adopt those as standards.
Why are banks and other financial institutions regularly in the news regarding data breaches and issues with data management?
This is an issue which affects all companies entrusted with customer data, particularly in today's digital economy. That is why the proposals being drawn up by the European Commission are so important, and why the industry must work together with regulators to achieve a framework which helps consumers while also being workable for businesses.
Do you think cloud computing has added an interesting dimension to the data protection debate?
It could, but in practice it is still too early to comprehensively evaluate the implications of cloud computing.
What is on your wish list for the review of the Data Protection Directive (95/46/EC)?
A clear position on the transfer of data; official recognition for BCRs; and more guidance on new technologies (e.g., cloud, geolocation data).
Do you believe that the sanctions for mismanagement of data are strict enough?
The responsible management of customer data should be good business practice for all companies. Regardless of how a sanctions regime is structured, it should not be a primary motivator for organisations to act as responsible data custodians.
Many thanks for your time, Alfredo.
Thank you for the opportunity to contribute here and that I look forward to continuing to engage in the debate.
Alfredo Della Monica can be reached at firstname.lastname@example.org