Soon, fintech companies won’t just face compliance with current privacy laws like PCI, HIPAA, GLBA, CCPA, and GDPR. There’s a landslide of new and updated data protection laws being passed globally, including: SOFIPO (Mexico), Updated Data Privacy Act (Australia), PIPL (China), LGPD (Brazil), Amended PDPA (Singapore) and DCIA (Canada).
Complying with these laws one-by-one (a piecemeal approach) will be a huge challenge for most fintechs. Worse, a piecemeal approach results in a mess of new tools that don’t work well together. Many fintechs now realise that they need a new approach to stay in compliance while remaining nimble. That new approach is called privacy by design.
With privacy by design, fintechs can build data privacy, data security, and data residency into their architecture. And as new regulations come along, this approach will become essential to any fintech’s long-term success.
Design for Privacy from Day One
The essence of privacy by design is thinking about privacy on day one, instead of 90 days before launch. When fintechs embrace privacy by design, they go beyond current and future data privacy laws. Instead, they build effective data privacy deeply into their products. This solves the underlying problem while delivering value to customers.
Customers want fintechs to do everything they can to protect their data, not just comply with the law. Surveys indicate that if a data breach occurs, customers are more likely to blame the company than the hackers.
Go Beyond Piecemeal Approaches to Protect PII and PCI Data
Look around and it’s obvious — all fintech companies need to go beyond a piecemeal approach to data privacy. Not just because a piecemeal approach is inefficient, but because it’s ineffective.
After all, hackers are always trying to find new exploits. True data privacy requires a forward-looking approach that stays ahead of the latest exploits.
Consider the 2020 data breach at US-based fintech Dave, which exposed the personal information of 7.5 million customers. Dave had taken security measures like hashing user passwords before storing them, but those weren’t enough to protect customer data when hackers acquired the hashed passwords. This could have been avoided if they had taken a more comprehensive approach to data security that went beyond complying with laws, regulations, and industry standards.
PII and PCI Data Belongs in a Zero Trust Privacy Vault
For fintech companies especially, customer trust depends on protecting customer data. What’s the best way to protect their PII and PCI data without losing the ability to use it? A zero-trust data privacy vault is the answer.
With a zero trust privacy vault, fintechs can manage and use PII and PCI data with strong security and privacy protection. This frees them to meet critical needs like data sharing and analytics while still protecting customer data. That’s why Netflix built a zero trust privacy vault: to build trust by protecting customer data.
At Skyflow, we believe that every fintech needs a zero trust privacy vault to build with privacy by design. Fintechs can build a zero trust data privacy vault or buy one.
So, how do zero trust privacy vaults work?
Understanding Zero Trust Data Privacy Vaults
Zero trust architecture is based on the idea that security isn’t about securing a network perimeter. Designing for data security without focusing on a network perimeter means that you never trust users or devices. So, a local network device faces the same security as a remote client.
A well-designed data privacy vault needs features like access control and effective encryption to ensure usability and security:
- Fine-grained Access Control: With customer data secured in a well-designed zero trust data privacy vault, it’s easy to control who sees what, when, where, and how. So, the most sensitive data and broadest customer data queries aren’t available to employees who don’t need them — or malicious hackers.
- Polymorphic Data Encryption: Encryption at rest is required by several privacy laws, but it isn’t always sufficient. If social security numbers (SSNs) or other sensitive data are managed loosely after being decrypted, does that provide true data privacy? A well-designed zero trust data privacy vault treats each type of sensitive data differently, so fetching the last four digits of a customer’s SSN fetches only those digits, and the full SSN stays protected.
This is just scratching the surface of privacy vaults and how they can help fintechs to build with privacy by design. The new privacy laws landslide is coming, and leading fintechs are preparing for these new laws by building zero trust privacy vaults, or buying them.
Learn about how Skyflow approaches zero trust when building the world’s first data privacy vault delivered as an API.