New data protection legislation in many countries has gotten a lot of attention in recent years. But we hear less about what happens after these laws are passed. Although the substance of new data protection laws is important, implementation is where the rubber meets the road. Any new law is only as good as the implementing capabilities of regulators and providers, so it’s important to take those capabilities into consideration when developing the law’s provisions, subsequent rules and institutional structures that must be put in place to bring it to life.

This point was underscored in a recent policy brief issued by the Future of Finance Initiative at Dvara Research that provides a blueprint for actions that will need to be taken by India’s central government and the new Data Protection Authority (DPA) that will be created after passage of the Personal Data Protection Bill. In total, the government and the DPA will need to address at least 82 action points to implement the new law. This observation begs the question: will regulators have the capacity needed to implement and enforce this new law?

Bridging a Gap of Understanding and Interpretation

As mentioned in the introductory blog post to this series, a common theme that surfaced during interviews we conducted last year with various data protection stakeholders in India, Ghana and Peru (as part of a Credit Suisse Global Citizens volunteer project) is that there is a gap that needs to be bridged between governments and providers on the issue of data protection.

For example, in Ghana, which has had a data protection law in place since 2012, any entity that handles personal data must register with the country’s Data Protection Commission as either a data controller or a data processor. However, according to Elorm Allavi, founder of SyeComp, an agricultural intelligence tech startup, it’s not necessarily clear which classification to register under and what the implications may be for the registration fees to be paid. He also described the data protection requirements as being “very one sided” and expressed a desire for the Bank of Ghana and data protection regulators to take steps to better comprehend the changing digital landscape and how fintechs use data. He felt that their lack of understanding limits their ability to assess the risks and can lead to unwarranted regulations.

On the government side, we’re grateful to Clarissa Kudowor at the Bank of Ghana (BoG) for providing a written response to some of the questions we had submitted regarding the overall legal and regulatory environment around data, as well as the BoG’s new Cyber & Information Security Directive. In her response, she recognized the need for innovation in financial services and the role of proportionate regulations and regulatory sandboxes in helping to create an enabling regulatory environment. But despite this enabling spirit, there was also a clear undertone throughout her remarks that compliance with the provisions of the law is paramount, though there was no mention of any specific engagement with providers that would help to facilitate that compliance. Moreover, Ms. Kudowor had to refer some of our questions to the Data Protection Commission, which sits within the Ministry of Communications. This was understandable, since Ghana’s data protection law applies to all sectors and not just the financial sector, but our efforts to get a response from the commission weren’t successful. This perhaps was indicative of the kinds of concerns providers often express about having multiple regulators to answer to.

We encountered similar concerns in Peru, where Mariano Fuentes, a Legal Advisor with ASBANC, the association of private financial institutions in Peru, told us about five member banks that were appealing sanctions by the National Data Protection Authority (NDPA) over differences in interpretation of consent requirements, suggesting a lack of regulatory clarity. Raising a separate concern, Elias Vargas, Head of Market Conduct Supervision at SBS (the Peruvian banking superintendent), spoke about overlaps in the mandates of the SBS and the NDPA and suggested that in some cases the SBS may be better positioned than the NDPA, which resides in the Ministry of Justice, to provide oversight of the financial sector on certain data protection issues. And in India, where the new data protection bill is looming large, Tejamoy Gosh, Head of Data Science and Artificial Intelligence with Aye Finance, also emphasized the need for regulatory clarity when he said that he would like to see “a list of ‘don’ts’ rather than a list of ‘dos,’ so we can be sure of what not to do absolutely.”

Provider and Other Stakeholder Capacity Needed, Too

All of the above issues are reflective of the enormous complexity of data, which brings us full circle to the need for policymakers and regulators to take capacity into account when designing and implementing new data protection frameworks. This doesn’t mean just regulatory capacity, but also provider capacity. In order to do this, it’s important for those doing the regulating to consult with those who will be regulated throughout the policymaking process so that all data protection stakeholders can be set up for success. Based on the feedback we obtained through the interviews described above, it appears that much more deliberate action is needed to make this happen.

As noted by the team at the Future of Finance Initiative at Dvara Research, “Developing robust and timeless regulation will require collaboration between regulators, entities processing data, civil society, researchers and technologists.” We couldn’t agree more. As our interviews showed, there’s a divide between regulators and providers that intentional and ongoing collaboration can help to bridge. They also suggest that governments need to do more to ensure that regulatory bodies not only have the technical expertise to deal with data issues writ large, but also the sectoral expertise to be able to effectively deal with data issues that are specific to each sector. Designing and implementing data protection frameworks is no small task, and governments should do all they can to enlist the support of external stakeholders to develop frameworks that truly set everyone up for success.


Ethan Loufield

Former Research Director

Ethan joined CFI in 2017 after spending the first 15 years of his career in a range of finance roles in the government, financial, and nonprofit sectors.

At CFI, Ethan was responsible for the successful implementation of Inclusive Fintech 50 – an initiative that recognizes promising early-stage fintechs driving financial inclusion around the globe – including program design and execution, and delivery of incentives and knowledge products. Prior to that, he was Director of Strategy and Operations, providing overall support to CFI’s programmatic, operational, and communications activities.

Ethan started his career with the Peace Corps before moving into the financial services arena, first in equipment finance with General Electric, and then as a relationship manager with Wells Fargo Business Credit, where he managed a portfolio of over two dozen clients representing nearly $100 million in annual funding volume. He also served for several years as the CFO of a nonprofit independent school before entering the fintech space with RevolutionCredit (now known as Scorenomics), an Accion Venture Lab portfolio company specializing in the use of behavioral data and analytics in consumer credit.

Ethan holds a bachelor’s degree from the University of Rhode Island, an MBA in finance from Indiana University, and a certificate in digital money from the Digital Frontiers Institute and The Fletcher School at Tufts University. He is proficient in French.

Shweta Vashisht

Vice President, Research and Consulting Group, Credit Suisse

Explore More

Privacy as Product, FSP designers
Toolkits and Guides

Privacy as Product: Privacy by Design for Inclusive Finance

Sign up for updates

This field is for validation purposes and should be left unchanged.