I remember a time, back in the 1990’s, when almost everything in my life was computer-less. I didn’t use email or the internet and didn’t own a cell phone. Other than some government, education, medical and financial records that may have been stored electronically, I essentially had no digital footprint. That all changed in 1996 when I subscribed to dial-up internet.
Fast forward to 2019, and we now have the term “data exhaust” to describe how we are constantly generating new data about ourselves as we go about our daily lives. Data has become so fundamental to our existence that a growing number of people, including Satya Nadella and Tim Cook, CEOs of Microsoft and Apple, respectively, have been calling for data privacy to be treated as a human right. But despite all the attention data is getting, there’s tremendous confusion and uncertainty among consumers and businesses alike as to what to do about it.
Urgency to Act at a Fever Pitch
In terms of what this means for financial services, we at CFI are living the growing sense of urgency with respect to data use and protection, and we’ve been responding, most recently with the new draft standards on responsible digital credit from CFI’s Smart Campaign.
We’ve also begun to explore more ways in which we can better support financial service providers in getting data right. Last month, we partnered with Accion Venture Lab, which has also released a new data protection resource targeted to fintechs, in a convening of about 30 stakeholders with a shared interest in this topic to consider the primary data protection issues financial service providers are grappling with and ways in which we can make progress.
Not surprisingly, there was an ample supply of challenges put forward on issues: from informed consent and data minimization, to regulatory complexity and the limited resources and expertise of smaller providers. There were no easy answers, but about halfway through the discussion, one participant said, “Maybe we need to bring it down a level to basic blocking and tackling. We can’t own the philosophical discussion.”
While the larger questions are important to consider, this served as a reminder that it’s easy to get swept away in the ocean of issues. So the best approach may be to look to players and solutions that already exist to help anchor our efforts around more practical steps.
What this means for us is that while new standards and resources are good first steps, they’re stepping stones for establishing good practices and building trust between providers and clients. There’s a need for greater awareness and more concrete guidance and solutions through audiences that can help to maximize influence, such as boards, investors and regulators. Throughout the conversation, the ideas that emerged hinted at a two-part approach:
- working at an ecosystem level to develop principles around data protection, and
- seeking out existing organizations and resources in adjacent spaces that could be leveraged to develop more practical tools.
So how might we go about this? One path could be to try to work with larger technology players to develop high-level principles as a guiding framework. Whether or not there would be an appetite among larger technology players to collaborate on such an undertaking, principles need broad-based buy in to achieve scale.
Martin Tisne, Managing Director at Luminate, recently made this point in “It’s Time for a Bill of Data Rights,” published last December in MIT Technology Review. He discussed the importance of data rights, such as the right to be secure against unreasonable surveillance and the right to not be discriminated against. “The details should flow from basic principles, as with America’s existing Bill of Rights. Too often, attempts to enunciate such principles get bogged down in the weeds of things like ‘opt-in consent models,’ which may fast become outdated,” Tisne wrote.
From Frameworks to Specific Actions
As for specific actions, another path could be to scan the landscape for existing resources that could be adapted and applied in the financial inclusion space. Some specific organizations mentioned include the Securities Industry and Financial Markets Association (SIFMA) and the CERT Division of the Software Engineering Institute at Carnegie Mellon. While they don’t specifically focus on BOP markets, consulting with these organizations could serve as a good reference point for relevant data protection frameworks and policies, procedures and best practices. They could also provide listings of third parties that specialize in services around data privacy and security, such as audits, penetration testing and threat intelligence.
There’s a need for greater awareness and more concrete guidance and solutions.
CFI’s goal is not to become technical advisors, but rather to provide overall direction and practical tools that are tailored to smaller providers in geographies where assistance of this nature is harder to come by. Despite all the attention that the topic of data has been getting, the level of risks and uncertainties only continues to rise, especially for smaller providers. There’s nothing more core to our purpose than to confront these types of emerging challenges head on. We did this in 2009 when we launched the Smart Campaign to take on consumer protection, and we see this new phenomenon of data as being just as pressing.
Please join us in our pursuit of getting data protection right. Leave a comment below and let’s get the discussion going on actionable best steps!