Mike Wake, Head of Data Management at SAS UK & Ireland analyses how the incoming GDPR will empower consumers to take back control.
The General Data Protection Regulation (GDPR) puts power into the hands of the consumer. From May 2018, this legislation will allow EU citizens to take control of where their private, personal and identifiable data is held and crucially, by whom. Under new laws, any organisation that is processing EU citizens’ data must prepare to stipulate how they store, manage and process this information. Irrespective of Brexit, the UK government has promised it will implement the regulation in full, and is in the process of doing so with its new Data Protection Bill that is set to go before Parliament. While businesses across the continent have their hands full seeking compliance as May 2018 nears, it is worth analysing how this regulation will impact and affect individuals as they go about their daily lives.
At a time when financial crime and identity fraud is rife, it is no wonder that citizens are increasingly wary and protective about sharing personal details and contact information. With GDPR, the onus of responsibility is flipped on its head.
Under the legislation, EU citizens will be presented with new data rights giving them licence to access, object and rectify any of their personal data held by organisations. For example, Article 17 of the law denotes that residents have the right to request erasure of personal data related to them on any number of grounds. Gone are the days where individuals must trawl through business departments seeking removal from sales lists and registers only to get a cold call six months later. Under the new legislation, the consumer has the full backing of the European Parliament, the Council of the European Union and the European Commission to request removal without any undue pressure or financial penalty.
Unsurprisingly, the UK’s sentiment to these new-found powers is positive, with over 48 per cent of adults planning to activate their new rights. The rights to ‘access’ and ‘erasure’ are the most popular with 64 per cent and 62 per cent welcoming these respectively.
Not to be judged by third parties
So, how do these new data rights relate to everyday scenarios like shopping online or even applying for a loan?
Currently, when applying for a loan, a bank seeks outside third party information on the customer from the electoral register, credit reference agencies and other reliable sources that profile individuals. In turn, these agencies provide the bank with verification that the individual can and probably will repay any money lent within an agreed time period.
Post GDPR, this process may become a little more challenging for financial services organisations that will need to find ever more discerning ways to fall back on this shared personal data. GDPR doesn’t rule this as an impossibility as third parties may well incentivise other organisations to opt in, like banks. Financial services could use the opportunity to include conditions in their contracts that stipulate access to third party data. Additionally, banks could also argue that it is in the national interest that personal data is recovered from third parties to verify someone’s credit-worthiness.
Both behavioural data (e.g. general website browsing) and transaction-related data (e.g. banking and payment transactions) are rich sources of information used to build customer profiles and segments. This is again a clear example of how the power is shifting to the consumer with their ‘right to object to profiling’ affecting the principles around data usage in business. As data usage continues to evolve, banks may well find themselves in a data minimisation and purpose limitation landscape which will mean less data to oversee and less freedom to use it.
Under the regulation, citizens will also have opportunity to question where a bank is receiving information from and choose to not be subjected to profile processing for the purposes of evaluating personal details such as health, personal preferences, behaviour and movements. To adhere to this, banks need to build and maintain a granular understanding of the process taking place, and explain this to customers. Whether this inability to use third party data will benefit the consumer financially and/or hinder a bank’s judgement in the longer term, remains to be seen.
Say ‘no’ to profiling by automation
As the modern consumer moves from digital-first to digital-only, they expect every business in every industry to achieve ‘digital parity’. In other words, businesses need to be as easy to do business with online as they are offline. Given this evolution of consumer need, it’s no secret that everyone from social media companies to energy suppliers are tapping into automated algorithms, data and analytics to assist and provide the best customer service and outcome. This is notoriously common in banking transactions, as discussed above, but also in retail – e.g. sharing a particular offer with a customer, based on past transactions.
However, under Article 22 of the GDPR, automated individual decision-making, including profiling, is made contestable. This means the consumer has the right not to be subject to an automated decision-making process where those decisions significantly affect them.
So much so, that from May 2018 individuals can request human intervention if they feel disadvantaged as a result. Here they can request an explanation and demand that the algorithm is not used in respect of their treatment by a company. This will particularly impact organisations such as retailers that may make discount offers to some consumers and not others based on an algorithmic decision.
For organisations that provide credit (e.g. mortgages, personal loans, credit cards) this is nothing new; there are already regulations in place to prevent discrimination and enforce clarity in data use.
As the regulation moves ever closer, it is now on the consumer to take advantage of the opportunities available to them.
With the new rights implemented, the chance is there for individuals to not only access, erase and rectify their data but to pursue a better deal from organisations such as banks, retailers, insurers and energy suppliers. However, this will only come true if citizens take control once and for all.
Learn more about the challenges and opportunities that GDPR will present by visiting the SAS website here.