This is part 2 of the two part series on data privacy & its impact on digital lenders. Part 1 explores the current and proposed legislation around data privacy in India. Click here to read Part 1.
Digital lending witnessed unparalleled growth in India owing to lower origination costs, higher customer-centricity, better user experience and favourable market conditions.
With this paradigm shift, lenders are interfacing with more data than ever before and need to catch up with upcoming data privacy legislation.
Following recommendations will help digital lenders stay compliant with the existing and upcoming data privacy laws and regulations.
1. Explicit Consent Communication
Consent must be freely given, specific, informed and unambiguous for processing of personal data. — EU GDPR
Digital lenders must focus on the following aspects of consent communication
Free: There must be no fee/charge for accepting or denying consent
Affirmative Action: Consent should be taken after an affirmative action like a button or voice command. It shouldn’t be directly thrown at users out of context.
Specific: Consent should mention the exact data points to be collected
Clear: Consent communication should be unambiguous and non-abstract
Informed: Customer must be informed about the intended use of the data
Consent should be Specific, Clear and Informed
Revocable: Customer must have the option of withdrawing the consent and stopping data collection
Consent should be Revocable
3. Third-Party Partnerships
Being data fiduciaries, digital lenders must partner only with third-parties maintaining the highest standards of data security and privacy.
Maintaining data privacy requires the highest standards of Information Security. Lenders must evaluate the Information Security standards of their partners. The hygiene factors in a third-party for a compliant partnership are —
Should be compliant with ISO 27001 or similar certifications
Location of servers hosting customer data should be India
Should follow encryption of data in rest & motion
Should tokenize sensitive Data
Should have defined incident management & business continuity plans
Should have a data backup and recovery process
FinBox is an ISO-27001 technology product company working with banks & NBFCs to digitise their customer journeys & to help them underwrite NTC customers using alternative data from the smartphone.
We have created a check-list to evaluate third-party vendors on Data Privacy and Information Security standards. Please fill this form to get your copy mailed to you.
Please feel free to reach out to me at firstname.lastname@example.org for a discussion around data-privacy and digital lending.