[Note: This article was updated on 18 December 2017 to include a link to the report by Privacy International.]

To better understand how much value individuals place on their data, Kaspersky Lab created a London pop-up store where merchandise could only be bought by parting with personal information (e.g. three photographs from the individual’s phone or their last five WhatsApp conversations). 

The Data Dollar Store was perhaps part social experiment and part marketing gimmick, but seeing this is slightly uncomfortable for those of us (probably almost all of us) who have given up trying to interpret the legalese in the terms and conditions of use and consent to sharing our data with little forethought. 
At insight2impact, we are excited about the possibilities that data innovations present, but while technology has made it easier for organisations to harness personal data, concerns about data privacy are growing. Financial service providers (FSPs) looking to take advantage of these data innovations may find navigating appropriate consumer protection and responsible data use tricky. 

These issues are receiving increased attention, in part because 2018 will see the enactment of both the General Data Protection Regulation (GDPR) and the revised Payments Services Directive (PSD2) in the European Union. Both will have significant implications for the way customer data is stored and managed, and the potential consequences for FSPs are being debated beyond the EU. The judgement in the Puttaswamy versus Union of India case, which upheld the right to privacy in the face of the Indian government's efforts to build a national database of personal identity information, has also generated debate. 

The topic warrants serious consideration. This article is not intended as a comprehensive guide but rather as a round-up of some useful resources or interesting reading on the matter.

EU regulations and the co-existence of customer privacy and data sharing. Does the data privacy enshrined in the GDPR contradict the push for open banking and application programming interfaces (APIs) covered in PSD2? This blog suggests the two regulations may be on a collision course. Read The data balancing act for some brief comments on the apparent contradiction and its relevance for FSPs. 

Regulations on data protection in Africa. Deloitte lists 17 countries in Africa that have enacted personal data protection legislation. The report highlights these countries and outlines some of the common themes in the legislation. It also mentions which African countries have imposed restrictions on cross-border data sharing and suggests that the adoption of a GDPR standard may be the most appropriate response by some organisations. 

Regulations in other developing countries. If you’re entering a new market in Asia or Latin America and want an overview of the applicable regulations, have a look at the Evans School Paper on digital financial services’ consumer protection regulations in 22 developing countries (including several African countries). Note that the paper was published in March 2016 though and consumer protection here extends beyond data-related issues and incorporates factors like transparent pricing. 

Assessing your organisation’s adherence to client protection principles. Although targeted more generally at microfinance institutions rather than specifically at digital FSPs, the Smart Campaign has numerous resources relating to client protection. A useful starting point would be its Guide to Client Protection Assessments

Making it practical – Are typical digital financial services user agreements adequate? A review by the ITU highlighted common consumer protection shortcomings in the agreements created for the users of digital financial services. Even if your organisation wasn’t included in the review, a glance at the shortcomings highlighted in the report will prove useful to those FSPs designing or revising their agreements. 

Data-intensive financial services - What do fintechs mean for data privacy? A recent report by Privacy International argues that fintech innovations should be subject to greater scrutiny given the implications for digital identity and individual privacy.

Shift towards open banking and APIs. Financial sector innovation has resulted in increased awareness by banks that they won’t necessarily “own” the customer in future and that, increasingly, financial services are often just one part of a broader digital ecosystem. This McKinsey article on data sharing and open banking explains different types of APIs and explains why data sharing can be beneficial to banks and their customers.  

Benefits of sharing data with consumers of digital credit. Sharing information with consumers can be powerful. CGAP and M-Kopa tested a system that allows M-Kopa customers in Kenya access to their credit histories. The study found that when consumers were given access to this information, they were likely to take up more credit and were more likely to repay loans in full. 

A framework for a consumer-focused data-sharing ecosystem. Although CSFI is primarily concerned with consumers in the USA, its suggested principles and practices on data sharing are universally applicable. “The framework represents a first step in achieving CFSI’s vision for a data-sharing ecosystem that enables consumers to safely access and control their financial data, is inclusive of smaller financial institutions and fintech providers, and engenders trust among consumers, providers and the broader financial system.”

Beyond financial services – the data revolution in Africa. The African Data Revolution Report by the UNDP highlights statistical data but also references other forms of data and may be of interest to those wishing to read more broadly on subject. 

Please note that sharing links to publications that are not authored by i2i does not constitute official endorsement of or agreement with the content contained in those links.