The internet is not free; it costs money and runs on your data. This monetizable data comes with some limitations.
After the withdrawal of the earlier Personal Data Protection Bill, 2019 (“PDP Bill“), the Ministry of Electronics and Information Technology has released a new Digital Personal Data Protection Bill, 2022 (“DPDP Bill“), which adopts a more simplified approach to handling ‘personal data’ in comparison to its predecessor. While the government claims the bill will protect personal data, its fine print hides other implications. The DPDP Bill covers several key principles pertaining to lawful usage of personal data, limitation on collection of personal data, data minimization, data storage, and accountability of the person processing personal data. It also seeks to create a relationship of trust between individuals and entities processing their data, but also goes several steps further.
Proposed Data Privacy Law and Fintech:
The Digital Personal Data Protection Bill (DP2 Bill) proposes to put in place stringent security standards on how companies store and dispose of IP or any other vital information they may possess. The bill seeks to protect the personal data of Indians from misuse by providing a legal framework and strict penalties for non-compliance. This move has piqued the interest of the Indian fintech market, as well as international agencies and multinational corporations.
The Data Protection Board of India (“Board“) is a new authority that will be responsible for enforcing the provisions of DPDPB. The composition of the board will be specified at a later stage. It will operate as an independent body and function in a manner that is “digital by design”. The Board is tasked with enforcement. The Board has the power to impose financial penalties of up to INR 500 crore in each instance if it determines that non-compliance by an individual or entity is significant in nature.
Fintech Industry use cases for Data for reducing friction and improving CX:
Fintech companies are providing an increasing number of services to customers (neobanks, personal finance managers), to banks (video KYC services, payment aggregators), to other companies like merchants (risk management services, customer lifecycle management), and even to other fintech companies (credit scoring, analytics).
Consent, Propogation and Privacy of Data
The PDP Bill will now bring in similar data protection requirements, requiring:
Inadequate customer consent: The consent and preference policy allowsthe business to track where and when consent is required and obtained, building trust with the consumer while allowing the business to better market according to what the consumer wants to receive and how they want to receive it. The cookies that are accepted by customers have to have a purpose and timeframe. These are not free tokens that can be passed on between stakeholders at will.
In a world where trust is in short supply, getting privacy, consent, and data right is critical. The challenge for most marketers is that consumers are still willing to trade personal information if they see a benefit.
Sharing of plain-text data: Data is the world’s most valuable and vulnerable resource. It can either make or break the business, depending on how well it is managed and used.
With consumers placing more responsibility on organisations to protect their data, reputational damage is common after a breach. It’s not just personal data that is violated—consumers rightfully feel the trust they had with the organisation has been violated too.
Cyberattacks commonly target resources stored in plaintext. Many attacks succeed by uncovering plaintext files that contain passwords or other sensitive information in plaintext rather than encrypted.
It is critical to have well-documented data stores and processes to ensure they are used correctly. This includes both owned data and third-party data, which is kept securely.
It is also important to know how that is received and shared, as well as your retention and access policies. Knowing the rules across the life cycle of data is critical as it pertains to compliance.
Enabling the exercise of principal data rights like the right to access or portability: Personal data of the data principal can only be processed upon receipt of explicit consent. The consent must be free, specific, clear, capable of being withdrawn, and most importantly, it must be informed by the information.
It is the obligation of the fintech entity to give a notice to the customer at the time of collection of the personal data, specifying several crucial details such as the purpose for which the personal data is being processed, the right of withdrawal of consent, etc.
The key rights of data principals are confirmation and access to information, correction and erasure, the right to be forgotten, portability, and grievance redressal.
Data fiduciaries—that is, persons who alone or in conjunction with others determine the purposes and means of processing personal data—are obliged to provide data subjects with information notices about processing activities.
Revamping contracts to specify controller-processor obligations, purposes, and erasure periods: A data processing agreement, or DPA, is a legally binding contract between the data controllers and processors that lays out the scope, purpose, and relationship between both parties.
Controller-processor obligations include implementing appropriate technical and organisational measures to protect the security of data, including encryption and pseudonymization of data if appropriate, capability to ensure data confidentiality, integrity, and resilience and process for regularly testing, assessing, and evaluating security
Creating data passports and data embassies: A data embassy is a solution implemented by nation states to ensure a country’s digital continuity, with particular respect to critical databases. Data Embassy is an extension of the government in the cloud, which means the state owns server resources outside its territorial boundaries. This is an innovative concept for handling state information since states usually store their information within their physical boundaries. Data Embassy resources are under state control, secured against cyberattacks or crisis situations, and capable of not only providing data backups but also operating the most critical services.
Data passports allow extending the encryption technology that used to be available only on physical servers to cloud computing. Each piece of data in the cloud has a passport assigned to it, and with the passport, you can verify if the data is misused or if the passport is still valid. This is an important tool in the hands of consumers to check and verify data leakages.
Building the right to forget into the fintech system for the customers: A person must be given the right to have their personal information removed from corporate databases. This poses an issue because fintechs and NBFCs may be required by other statutory laws to store the data for a longer period. In case the data principal exercises the right to be forgotten, the same will have to be complied with since the bill prescribes an overriding effect.
Complete audit trails and transparency of the data being used: Audit trails maintain a record of system activity, both by system and application processes and by user activity on systems and applications. Fintech entities along with other data fiduciaries must have privacy by design, which means:
- The managerial, organisational, business, and technical systems designed to anticipate, identify, and avoid harm to the data principal;
- The obligations of data fiduciaries;
- The technology used in the processing of personal data is in accordance with commercially accepted or certified standards;
- The legitimate interests of businesses, including any innovation, are achieved without compromising privacy interests;
- The protection of privacy throughout processing, from the point of collection to the deletion of personal data;
- The processing of personal data in a transparent manner; and
Data protection compliance – audits by authorities like the DPO: Measuring, assessing, and reporting are integral and continuous parts of our data protection officer service and are essential parts of ensuring that your data protection programme is effective. This places additional compliance obligations on the part of fintech entities that are notified as significant data fiduciaries. The DPO is supposed to be responsible for monitoring the personal data processing activities of the data fiduciary, advising, doing impact assessments, advising on system development, and handling grievances.
Data classification norms (SPD, NPD, PII, etc.), including anonymization of data for specific use cases: Data needs to be classified as confidential data, non-confidential data, and personally identifiable information. How do we classify data? Within an organisation, we have to agree to a common norm and store this information according to the norm.
OLAs and penalty arrangements between multiple stakeholders in a fintech transaction: There can be multiple parties involved in a fintech transaction. All have certain roles to play and certain SLAs to adhere to for the end customer, which is very important. Also, extremely important are the individual operating agreements between the data fiduciaries and data processors.
Deep coordination between multiple regulators is required for data regulation (IRDA, NHB, RBI, and SEBI): There are multiple regulators for various things in the finance and non-finance worlds, and each of these regulators has its own data requirements. The SPDI Rules, RBI, IT Act, IRDAI, SEBI, NHB, PSS Act, AML Act, and Credit Information Companies Act have to be synchronised for fintech entities to adhere to all the data privacy requirements.
Big tech in fintech and data law:
While developing business models here, big tech companies need to take into account that they no longer have free rein over data. The bill brings in restrictions like data minimization and purpose limitation, which impose restrictions on, say, the types of data that can be collected, how long it can be stored, and the purposes it can be put to. Consent will often be required as a basis for processing, and even where it is exempted (say for state activities or as a reasonable purpose), notice will still need to be provided to data subjects.
The data breaches that are happening, such as the recent HDB Finance bank’s customer data leak, are gruesome alarms to act fast and implement controls. Or, it is the common man whose personally identifiable data will be at stake, and the nature and occurrence of digital fraud will increase over time. This will also lead to the misselling of financial services.
Rohit Kilam, CTO at CMS Info Systems
CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics