A Six-Ingredient Recipe for Data Protection

In May 2018, Europe’s landmark privacy regulation will come into effect and replace the 1995 Data Protection Directive, which was developed during an era when data played a fundamentally different, and smaller, role in our daily lives. Designed to harmonize data laws across the European Union, the regulation increases penalties, strengthens consent processes, mandates immediate notifications of data breaches (not four months or one year later), introduces data portability and integrates privacy-by-design principles like data minimization.

While data breaches — such as the Equifax and Uber hacks — in high-income countries and responses like Europe’s new privacy regulation dominate the news, data protection is also emerging as a major issue in lower-income countries, where people are leaving ever-larger digital footprints. The question of how development partners can help these countries protect citizens’ data is becoming more important by the day.

Last year, CGAP developed an analytical framework to assess privacy and data protection regulatory regimes in countries and identify potential weaknesses. CGAP carried out a landscaping exercise using this framework in 10 diverse countries to gain a better understanding of what protections are currently in place and how regulatory regimes differ across the globe. The landscaping covered Brazil, Costa Rica, Ghana, India, Kenya, Nigeria, Russia, South Africa, Tanzania and Uganda.

We used the following six regulatory components to structure our landscaping. These building blocks provide a basic framework that consumer advocates and development partners can use to evaluate a country’s regulatory regime for data protection in financial services.

1. Does the country's constitution protect citizens’ privacy? An assessment should begin by looking at a country’s constitution. Yet a constitutional principle in and of itself does not guarantee that a robust data protection regime will develop. This depends on how legislators and policy makers translate general principles into regulation and enforcement. It also depends on how the courts apply constitutional privacy rights.

2. Is there a legal and regulatory framework for data protection? Next, the assessment should study the country's legal and regulatory framework. Does the country have specific regulations concerning data protection, information and communication, anti-money laundering or credit bureaus? All 10 countries in CGAP’s landscaping exercise have regulations on credit bureaus and anti-money laundering. Regulation on personal data protection and electronic information varied more widely.

3. Which regulations apply specifically to financial services providers (FSPs)? Here, we are interested in rules that govern how FSPs can collect, use, share and retain data on their customers. Different countries define FSPs differently. Thus, some financial regulations may apply only to banks and not to mobile network operators. The reverse could be true regarding regulations coming from an information and communications authority. It is also important to distinguish between types of data that are collected. Regulation — including notification, consent and minimum data retention rules — often varies depending on whether the data are related to know-your-customer (KYC) requirements or credit reporting. One area that may require clarification in many jurisdictions is what information-sharing rules apply in cases of outsourcing and across affiliate companies.

4. Who’s responsible for creating and enforcing regulations? It is also important to identify the relevant regulatory and supervisory authorities and to understand the boundaries of their mandates. Since data protection and privacy issues affect a range of regulated and nonregulated providers across sectors, these issues are likely within the purview of more than one authority. Relevant entities include data protection authorities, financial sector regulators, information and communication authorities and consumer protection agencies. Beyond mapping the institutional arrangements, it is necessary to determine which entity has ultimate authority over which types of data protection issues. In some countries, regulations may clearly delineate each authority’s mandate. In others, the lines may be much blurrier. In jurisdictions without a data protection or privacy commissioner, the assessor should be on the lookout for regulatory gaps.

5. Is there capacity to enforce regulations? A regulatory assessment is not complete without exploring the capacity for enforcement and supervision, since an effective data protection regime requires a skilled and well-resourced enforcement function. While supervisors need rules and standards against which to measure market conduct, outcomes will ultimately depend on their capacity to implement those standards.

6. Do consumers have control of their own data? Finally, the assessment should turn to consumer rights. Can consumers access, challenge, correct and erase data that have been collected on them? Rules on consumers’ rights vary depending on which type of provider holds the data. A specific area of interest, of course, is credit bureaus. These are special entities, and most countries have specific, consolidated regulations concerning how credit bureaus can collect, retain and share information. As part of these regulations, consumers are entitled to access and correct their own data. The increasing use of alternative data sources in credit decisions compels regulators to reassess rules governing credit reference bureaus, including who should be classified as a bureau and how to treat the collection of nontraditional data.

It's nearly impossible to sufficiently self-protect from breaches and improper handling of personal information, and providers have weak incentives to treat privacy and security as competitive advantages. There is clearly a need for appropriate regulations that set standards, assign liability and establish enforcement mechanisms for data protection. While the structure of these regulations will differ between jurisdictions and by no means necessarily follow examples from Western countries, these measures form the foundation from which technology can expand poor people's access to and use of financial services. Without this foundation, systemic vulnerability to misuse and breaches of information could sow distrust among customers and a withdrawal by providers, ultimately undermining financial inclusion efforts.

Different paths are possible, but it’s clear that as digital trails multiply, regulators must devise and implement harmonized and comprehensive protections for customer data. It’s worth noting that aside from the handling of KYC-related information, no standard-setting body has intervened to develop global guidance on how countries should evaluate their data protection regulations. Standard-setting bodies could potentially contribute to the development and harmonization of data protection regimes across jurisdictions, which is particularly critical as more providers offer cross-border services.

Stanislaw Zmitrowicz, Olga Tomilova, and Sarah Achieng developed the analytical framework and carried out the landscaping exercise described in this post.