To continue our regtech focus, we spoke to Frans van Buul from Amsterdam based regtech and Holland Fintech member, AxonIQ. AxonIQ last week released their GDPR compliance module which seeks to solve the paradox between the need to record data for compliance reasons and the upcoming right to erasure in GDPR Article 17.
AxonIQ has multiple products, one of which is an open source event sourcing software framework. This product has been downloaded more than 500.000 times. Its commercial products are an event sourcing data storage module and the new GDPR module. Event sourcing conceptually views events are ‘immutable and un-deletable.’ This approach is extremely practical for compliance because it is impossible to alter events, meaning that an auditor can completely trust the data.
Van Buul noted that GDPR awareness is high, but that there is some confusion surrounding when it will come into force. ‘We have already had the two year transition period to compliance,’ said Van Buul, ‘so on May 25, the EU regulation will enter into force completely.’
Due to confusion around the transition period, some companies have not begun to adjust towards compliance. This means that will hold increased demand for GDPR compliant modules and software as companies scramble to prepare.
Interestingly, Van Buul mentioned a ‘paradox’ in compliance. He is referring to the conflict between storage and erasure. Compliance frameworks are becoming increasingly demanding of companies to provide data as to their actions to prove compliance. With the GDPR and other incoming legislation, ‘it is very important to store all events and to have a very clear audit trail,’ emphasised Van Buul. However, this is at odds with the mandatory erasure rights created by Article 17 of the GDPR. AxonIQ has identified this conflict and has developed their GDPR module to solve potential compliance problems.
We asked Frans van Buul what he thought of the GDPR: ‘When I first read it, I contrasted it with the 1995 privacy law, and noticed that the changes are actually quite limited.’
‘The fact that people are talking about the GDPR as a new thing probably has commercial interest to sell products, but also points to the fact that companies were never compliant with the 1995 directive. Attention is heightened now due to the spectacularly high fines.’
Van Buul explained that the basic privacy principles in the 1995 directive are still relevant. The purpose limitation for processing of data, the need to adequately protect data and recognition of different data categories (the idea that data concerning health or political beliefs are more sensitive than a phone number) are the same as the old legislation.
‘One thing that strikes us at AxonIQ as a tool vendor is that the GDPR is technology neutral. Again, that’s not a new thing. The prior privacy was also technology neutral. This is a very good thing and is also very understandable because the life cycles of legislation are much longer than technology hype cycles. We don’t want legislation to be fixed to particular technology choices.
‘As a regulator, the main development I would like to see is just increased compliance; people taking compliance more seriously.’
Changing identity of regtech
Using technology for compliance is not new. What is different is how big data and more powerful computers are allowing us to integrate systems and make the process much more efficient. Older GRC and anti-fraud software are being combined into so that information as to compliance is processes together.
‘Regtech will definitely blossom. The complexity of the legislation and the number of regulations is increasing so rapidly that it will be impossible to stay compliant without using technology for compliance.’
Van Buul predicts that event sourcing will become more popular in the future and be used more broadly across different industries because of how it allows companies to adopt regtech. Companies need applications and digital process which permit regtech to gather the necessary data to ensure compliance.
The payments sector has always conceptually structured storage of data as a sequence of transactions. This is a great basis for adopting regtech because the company can look into those transactions to ensure they are compliant with any law. ‘In contrast, other business domains outside of actual payments, for instance CRM systems or order management, it is not that common yet to store data in such a form. Instead, these companies often create updates on data meanwhile losing a lot of history which is crucial for assessment of compliance, with or without regtech.’
‘My main prediction is that we will see event sourcing used much more widely than it is now to act like a precondition for regtech.’
By Grace Appleford, Research Analyst at Holland Fintech.]]>