We were in Sofia, Bulgaria, to share our thoughts and discuss the impact of GDPR and PSD2 at the Eurofi High Level Seminar. The Seminar is an international event, gathering over 800 participants from the European and international public authorities and the financial industry.
The General Data Protection Regulation (GDPR) is coming in to full swing this year and the impact it will have on technology in the financial industry is unknown at best. From a policy point of view, it brings the topic of personal data and the importance of its ownership into the decision-making process of the customer. This is the first step for financial services customers to consciously put a value on their privacy. Personal data, in many ways, is an extension of private property for the digital age. Hence, it seems natural that individuals should have similar rights. The problem with personal data, however, is that it is very hard to value for the user, but very easy to value for the company acquiring the data.
Large technology companies like Google have made that core to their business. Consider the moment you launch a mapping application on your phone. “Would you like to share your location?” You can answer “No, thank you” and still use the rest of the features and functionality. Logging in with an email account might open further features like personalised search results. The service provider is effectively trading information for features. In fact, the service provider probably knows the exact monetary value of a user with location turned on versus one without. Contrastingly, there are ride-sharing apps that do not allow any functionalities without location sharing turned on. This is effectively asking a user to go “all-in” before seeing the flop (to use a poker reference).
The first approach appeals to a spectrum of users but requires a huge amount of analysis and segregation of services that can be delivered independently. The second, monolithic approach is more efficient, but has a binary impact on users. Both models are “successful” in that they have willing and accepting users.
Drawing parallels to the financial system, most firms, due to Know Your Customer (KYC) regulations, take the latter approach of requiring a large amount of information, after which, you are granted access to a wide range of services. This presents an opportunity for Financial Technology (FinTech) players and banks to compete on privacy. Some information required for a current account, a bit more information for an overdraft and a bit more for a mortgage.
It is not hard to imagine a world where a FinTech firm or bank might come to a user and say, “If you link three social media accounts to your card number, we will give you an extra 1% on a 6-month time deposit, after which we will delete all references to your social media accounts.” This agreement seems to wrap in the GDPR principles of consent (at start) and the right to be forgotten (after 6 months). But what if the firm, through a combination of AI, machine learning and other technologies deduced 1,000 other data points about the user or the user’s friends in that six month period? Does the user then also have the right to request data erasure for their friends? Will “highly connected” individuals then be targeted for their personal data? GDPR is just the beginning of that understanding. These are difficult questions with difficult answers, but ultimately GDPR and the regulations that follow will force businesses to put a value on personal data and at least allow consumers to know when they are “all-in.”
For the full section in the Eurofi magazine, click here.