Is all data personal?

Dear kid, this is Santa Claus writing. This year I cannot send you the presents because you haven’t signed the consent to personal data processing!

In July 2019, we had the honour to speak at the International Financial Congress at the consumer fraud and anti-fraud techniques section. The high level of the event and its guests highlighted that the topic is exceptionally relevant and important for the market. It looks like consumer fraud mechanisms in retail lending and microlending are a serious concern for both financial institutions and their clients.

While analysing typical fraud patterns banks and microfinancial institutions usually face, we noticed that the most dangerous schemes with the most drastic consequences involve personal data compromise. Imagine if personally identifiable information comes along with sensitive data and other information: such a happy kit becomes a real Pandora’s box once a fraudster gets his hands on it, in no time escalating the negative effect and multiplying the loss for financial institutions up to dozens and even hundreds of millions of rubles in particular cases, and all of this in the microlending sector with an average loan sum of 10,000 rubles.

What can be considered personal data?

In the modern world, which includes financial services, there is a dazzling array of various data generated and processed with every operation we make. For example, services that are free of charge for users can sell their data across other sectors. Client data become assets, and an access to a huge pool of personal information boosts economic cost of such platforms.

By personal data is usually ment some information that can be used to identify a person and has a direct correlation to the person. Personal data refers above all to the full name, date of birth and passport details. Yet in the online world, other kinds of data can be used in order to get services too, financial ones as well – instead of the conventional information. This kind of data has not been seen as personally identifiable before.

As we see it, all contact information, such as phone number, e-mail, even when detached from the full name and / or passport details, should be qualified as personal data and require regulation of processing and access.

Why is that so? The reason is, this information is quite enough for a financial operation such as applying for a loan, and it can also be used for a two-factor authentication, for example, when we register on public services websites and others. Finally, it can be used by intruders to gain an access to a wider range of personal and sensitive data.

Do you remember in details what your e-mail box contains or how many contracts, bills, copies of financial documents, passwords have been sent there? Meanwhile, pass of such information into the public domain or the Deepnet can be downright unpleasant.

One more unpleasant consequence of uncontrolled personal data processing is their getting to unprofessional data operators. Everyone has at least once filled in application forms for a discount or loyalty card or registered at incalculable websites. But if we think about it, do the companies operating the information ever have the intention and ability to protect our data from getting to criminals?

A spammer has been attacked by unknown. Several millions of e-mail addresses on the list of suspects.

Sensitive data does not always have an unambiguous correlation with the person, yet their request and processing can be hurtful. One of popular categories is disposable income: you can find a detailed analysis of this topic in our previous article. Such data should also be reconsidered and put on the list because it is often requested and used by financial institutions for different purposes.

Another issue has become burning for the last 5-10 years due to growing popularity of online financial services, which is data emerging at the moment of Internet connection and their transferring to the Web. This information can be of big value for purposes of evaluation of the borrower or financial service receiver.

Information about the device technical parameters and other characteristics, the so-called device fingerprint, is also ranked with the same category. Yet such information cannot be called personal because it doesn’t actually define the natural person. Hence its regulation, if required, should follow some other standards. Although it might be valuable, unlike personal data it is not enough to identify the person and perform financial operations on his/her behalf in case of data leakage.

Already now we should develop a wider view on the data which at the moment includes not only personal data, but also other categories such as sensitive and non-personal data that evolve in the online world and don’t identify the natural person directly. When the volume of information is booming and digital technologies are bouncing along, we should turn from generalizations to practice and start categorizing, classifying, clustering and regulating data by common sense, not pro forma.

If a too mild and insufficient regulation of personal data results in problems and loss for institutions and their clients as well, shattering confidence in the digital environment, an excessive regulation of all the information, even not personal, on the other hand, can push to the Deepnet and significantly hold up buildout of digital technology and online services. We witnessed that when the General Data Protection Regulation came into force, dramatically changing the terms of data collection and processing for data operators in Europe and for Russian companies operating with the EU citizens within their area of activities. Let alone that strict penalties affect economic growth of the businesses and digital economy in general not in the best way.

Summarizing the above, we suppose that it is necessary to strike a good balance between a safe, authorised access to the data and regulation and guidance to enable effective work of data consumers.

Is it possible to make this seeming no-win situation a win-win for all? The solution might be the differentiated attitude to the regulation of data processing, corresponding with the risk level within specific data categories and potential severity of loss which can emerge in case of leakage.

Ultimately, we believe that future looks bright ahead with the right vision and practice: new business models should remain customer-focused and back on both legal and ethical norms while operating data and analyzing digital portraits of the clients, and we are here to keep you on the safe side with right solutions.