We have all done it at some point in our life - filled the car (inevitably the hired one or the borrowed car from a relative) with the wrong fuel. Once you start the pump it is too late and the journey you planned has been scuppered.
The fintech sector relies heavily on a fuel of a different kind - data. And just like a car, the right or wrong data can make or break the success of a start up. This is especially true where the data contains personal information (and many fintech propositions aim to add value and insight through access to customer account data and behaviours). The wrong data running through the application can bring with it costly consequences, especially from next year when data protection laws undergo a coming of age through the General Data Protection Regulation (“GDPR”).
Typical headlines about the GDPR are usually related to the onerous obligations and substantially higher penalties. While this may scare some into action what needs to be recognised is how the GDPR will provide an invaluable standard for fintechs to benchmark what they do. The GDPR provides a very clear framework upon which to base development and commercialisation of new technology in a way which builds consumer trust and confidence.
The GDPR expects technology developers to think about “privacy by design and default”, rather than as an afterthought. Use of personal data should be minimized wherever possible in processing. There is an emphasis on moving away from hoarding data to being more selective.
Planning for privacy is required for high risk technology through the requirement to prepare “Privacy Impact Assessments” which document the risks of processing and the measures to be taken to safeguard personal information. In the fintech world, it is likely that any processing of financial information relating to individuals would be high risk given the perceived risks should security be affected.
Considering privacy at the outset and minimising personal information to that which is strictly needed goes a long way to limiting risk in a business, particularly in the case of security breaches. However, putting privacy first also builds consumer trust and confidence. The law requires that consumers are made aware of what is happening to their data in detail through notices. These notices can be used a badge of honour if privacy is taken seriously. Consumers will be much more interested to know how their information is being used when it comes to their finances.
And the journey for fintechs is about to get a whole lot more interesting! Stage 2 of the Competition and Markets Authority (CMA) UK Open Banking initiative due to go live early next year, combined with the impact of Payment Services Directive 2 (PSD2), is going to open up customer account data like never before.
Starting a journey with the right privacy principles embedded in the culture of the business can ensure longevity and success. Nobody wants to have to go back to the garage to flush their tank when it goes wrong and it’s much harder to go back to the start when many miles away from home. Even nozzles and fuel caps have thought of the risk first with colour coding to make you think twice before you reach for the wrong pump! The same “think twice” attitude now goes for privacy in the new era of data protection compliance.
- Ross McKenzie is the Head of Privacy at Burness Paull LLP advising a range of clients on compliance with privacy and data protection rules including the General Data Protection Regulation.