1 minute read
MINIMALIST DP4DS APPROACH FOR FINANCIAL SECTOR REGULATORS
This proposal contains suggestions as to the minimal actions that financial sector regulators might take in the interim period before there is a comprehensive data protection law in place.
1. CONDUCT HIGH-LEVEL ASSESSMENT OF THE DFS MARKET AND RELATED DATA PRIVACY RISKS
Advertisement
> Cover both public and private sectors, including products, providers (traditional and FinTech based), delivery channels, customer segments, types of data used and analytic tools. > Develop methodology for assessing privacy risks in
DFS business models from e.g., information sources, information sensitivity, use cases and systems interconnectivity. > Consider especially, the needs of vulnerable groups. > Consider financial inclusion objectives.
2. ESTABLISH CONSULTATION MECHANISM FOR NEW DP4DFS RULES
Include public, private, and civil society representatives and ensure both traditional and FinTech entities are consulted.
3. ESTABLISH RISK-BASED CRITERIA FOR DEFINING ‘SIGNIFICANT’ DFS DATA CONTROLLERS
Such criteria could cover, e.g.: > Volume and sensitivity of data processed > Number of data subjects > Turnover
> Risk of harm to data subjects e.g., on basis of discrimination or bias
> Use of new technologies for data processing, such as automated processing and profiling
4. DEVELOP NEW DP4DFS RULES
Risk-based priority rules could cover: > Privacy by design and default governance and resource arrangements > Transparent information for data subjects about data processing > Effective and informed consents
> Rights to access and correction, and to object to processing > Recourse for data subjects with complaints ( e.g., as to compensation or data correction)
5. CONSIDER ALSO RULES FOR ‘SIGNIFICANT’ DATA CONTROLLERS AND PROCESSORS
Rules could cover, e.g., needs for registration; Data Privacy Officer; privacy impact Assessments; breach reporting to regulators and to data subjects; and independent assessments of compliance.
6. BUILD CONSUMER AWARENESS OF DP4DFS
Have specific focus on the diverse needs of vulnerable groups, education on data privacy risks with DFS, and related rights and responsibilities.
7. MAINTAIN ONGOING CONSULTATION ARRANGEMENTS WITH KEY STAKEHOLDERS
For example: key ministries and regulators, FinTech and traditional DFS data controllers and consumer associations.
