The level of control that consumers have over of their own data has been an issue hotly debated in the digital world since the advent of the Internet. It’s especially prevalent today as increasing concerns and questions are voiced about how citizens’ personal data is accessed and by whom.
Keeping data safe is crucial in financial services. Without customer trust and belief that you can keep their sensitive financial information protected and safe-guarded, the entire relationship unravels. Data and privacy have also been on the minds of regulators in recent years, which have passed and will pass new statutes regarding personal digital information. Top of mind for many in the financial services industry is the General Data Protection Regulation (commonly referred to as GDPR). This law, which will take effect on May 25, 2018, is “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy,”according to the law’s website.
And this doesn’t apply to just EU-based firms – any company with customers that are EU citizens must comply. Among the things GDPR requires is that companies provide clients with full access to data about themselves, and that they have the technical ability to erase all customer data at the customer’s request.
What Does This Mean for Your Business?
Meeting new standards such as these can be a problem for banks and other companies running multiple legacy systems. According to one expert it’s proving to be difficult “to reconcile how the data flows between all these different databases, even though they were made in different times, they may have different formats and the data might be called something different.”
Gutting and replacing legacy systems en masse is simply not the answer, as the cost and risk are too great. Instead, firms need to partner with technology companies that can easily integrate into their data flows, and who have “built” the regulation into their product. This means not only tokenizing all client data so it is anonymized, but also having the means to remove the end user’s information completely.
What is Privacy by Design?
Privacy by Design is an essential component of the GDPR. This concept forces organizations to consider privacy at the initial design stages and throughout the complete development process of new products, processes or services that involve processing personal data. As Deloitte indicates, the GDPR requires that privacy must be one of the ingredients of a new product or service, rather than a sauce that is added at the end. This might seem complex, but it is actually easier than applying privacy considerations after a design is fully developed. When you think upfront about what personal data you want to use, for what purpose, and implementation, it reduces the chance that you discover at a later stage that embedding privacy is technologically challenging, expensive, or even impossible.
The tech firms that can best help you meet this standard are not those who are scrambling to build these capabilities into their products now, but rather those that have been thinking about them for years. At Flybits, we followed the seven foundational principles of privacy by design as laid out since at least 2009 by information and privacy officials in Canada.
Some firms may worry that regulations such as the GDPR will prevent them from using data to offer personalized communications with customers. Luckily, that is not the case! Privacy and personalization can indeed co-exist. Firstly, this involves user experience design that puts control in the customers hand to allay fears about how data is being used. This also means more than a one-size-fits all approach, people’s ages and locations can significantly affect their willingness to share their information, so contextual privacy policies and design are necessary to meet consumers’ varying needs.
But Wait, There’s More!
GDPR is only the tip of the iceberg when it comes to data-focused regulation. The second Payment Services Directive (commonly known as PSD2) has now come into effect. The new EU directive allows individuals to share account data with third parties that they authorize, thus putting banks in a position where they are not the sole owner of customer account and transaction data. Again, like GDPR, this affects any firm that does business in Europe. And while there is no such statute in the United States, regulatory and government oversight bodies such as the Consumer Financial Protection Bureau are already looking at how consumers might share financial data.
This new reality of consumer expecting control over their data will soon be the norm. The old way of doing things, with data stored in siloed systems inaccessible to the end user, are now over. Firms need to work with technology partners that have these capabilities built into their services, and that can securely integrate all data – whether it originates in proprietary systems or from third parties – into one place that can be easily retrieved. The time for action is now.