Financial Services customers have made it clear. They want personalization. And, financial institutions need to respond to customers and push forward with personalization. To do this, they need data. But they also need to do personalization responsibly, which can be accomplished by understanding privacy regulations and data best practices.
Many nations are developing or implementing privacy legislation that is similar to the EU’s General Data Protection Regulation (GDPR), and this evolving patchwork of privacy laws will continue to challenge how organizations interact with customers, citizens, and employees. Fortunately, we see a great deal of commonality in the emerging regulations and having a flexible privacy framework is therefore wise for global businesses.
The digital footprints of consumers and financial institutions are increasing rapidly. In fact, due to the advent of COVID-19, we are seeing more remote workforces and homebound consumers conduct business through digital channels. As a result, privacy laws need to ensure the personal data collected and processed through a firm’s network are appropriate for its use and are handled in a legal and secure manner. With the GDPR in Europe and the California Consumer Privacy Act (CCPA) in the US, we are also seeing an increase in data-breach litigation, where laws allow for a private right to action. This is critical, as data breaches can be detrimental to a company’s existence.
Financial-services companies increasingly see themselves as technology companies in the digital domain. To drive personalization, they must collect far more personal data, process larger data sets, and derive actionable insights to improve their product offerings and stay competitive. This requires mature data-management functions and good quality data, combined with privacy-by-design thinking and implementation of privacy and security controls.
What is the role of data protection?
Personalization doesn’t just come from the sharing of additional personal data; it also comes from analyzing behavior and patterns derived from business transactions. Whether the personal data is processed as zero-party (personal data collected directly from consumer) or combined and processed with third-party (data collected by other companies) and internal data sources, different levels of privacy and data protection may need to be applied. Extracting insights safely and legally is what enables a firm to be a leader and strong data compliance is essential.
Industry best practices and approaches to data-protection compliance
Data privacy compliance is multi-faceted, and this chart represents our view on how to make it happen by highlighting needed technology capabilities and investments. You could use this chart as a checklist to view your data privacy compliance efforts from different points of view. It applies to new or existing transformation programs. The labels provide additional dimensions for functional positioning:
- Left of the Privacy rights and Analytics axis steers us towards the frontline business areas and digital areas where the consumer interacts directly.
- To the right is weighted towards Compliance, considered a second line of defense.
- Below the Digital and Compliance line refers to those using analytics for business intelligence and revenue growth.
- Staying above this line moves towards Data privacy and legal-basis territory.
On establishing an enterprise-level privacy program, firms should invest in privacy controls and technology wisely. Main considerations should include:
- Identifying and including the stakeholders who own the data and those accountable for its use.
- Setting up a data discovery and classification program to identify where personal data is processed. Consider automation for better governance and control with scanning tools.
- Defining reusable data-centric privacy control capabilities across the organization. For instance, implement a central data subject access request portal solution for multiple jurisdictions, and automate it with scanning.
- Improving the customer experience and performing safe analytics on your customer data platforms. Making sure consent preferences are centrally adopted for zero-party control, enabling a 360-degree consumer view. Also, preventing data leakage across the customer digital journey by reducing the number of breaks-in links for better personalization in high-touch scenarios.
- For machine learning and AI in analytics, identifying appropriate use cases where various methods can be applied to explain the input variables used and impacts to targeted consumers. Ensuring individuals understand when automatic decision making impacts them.
- Being aware of changing regulations and work with legal to identify and forecasting potential operational impacts with data stakeholders and assessing and designing for features common across regulations before their effective dates.
- Making sure to know a consumer’s identity. Exploring automation and integration of customer identity management to reduce operational impact. This prevents fraud and reduces the risk of unauthorized disclosure of sensitive information.
- Understanding requirements and assessing technology tools best suited to the firm’s blueprints.
- Reassessing access controls and operational impacts to the workforce from COVID-type events. Identifying technologies and tools enabling firms to quickly respond and position themselves for a rebound during prolonged work-from-home conditions
Data privacy compliance is complex, but it is essential especially now as customers are asking for both personalization and strong security. As we all re-invent new working styles in the age of COVID-19, data privacy should be at the top of everyone’s minds.
I hope you enjoyed reading this blog post. Remember to stay safe, stay connected and look after yourselves.