Reports of data and consent breaches need industry and regulatory attention
The month of March saw data protocols take the top position as a key challenge for financial inclusion. On one hand, we have service providers eager to utilise customer data - the Digital Lenders Association of India, an industry body of online lenders and non-banking financial companies requested the finance ministry for additional access to user data from telecom, banking and GST return filings to enable them to underwrite loans efficiently (Mint, March 7, 2018). On the other, we have cases of data/consent breaches reported for Aadhaar (Business Today, March 19, 2018) and Facebook (Financial Express, March 23, 2018). While a data protection and privacy law is being formulated in India, and the Supreme Court is presently hearing the PILs against Aadhaar, at Indicus we believe that regulation is necessary but not sufficient - service providers must honestly face up to the possibilities of data and consent breaches by third parties. Here, CGAP’s survey last year of 26 innovative and data-centric financial services providers in emerging economies gives some clear insights for industry and regulators (Data Privacy and Protection – Providers Share Their Perspectives, CGAP, March 27, 2018).
The way forward, therefore, calls for more discussion and coordination between regulators and industry:a) regulators must understand that service providers do recognize the risk to their business from relying on a third-party source for data and they are keen to obtain data directly from consumers, however communicating to customers about privacy does not rank highly on the list of priorities for service providers; b) given the cross bundling of financial services now, inter-sector regulatory coordination is a must, to set up principles for data sharing and standardization, which would allow new business models based on third-party data to operate responsibly and c) there is a need for regulatory and industry guidance on best practices in information security and privacy, including data retention.