Since the General Data Protection Regulation (GDPR) came into force across Europe, data security has become a hotter topic than ever. The biggest data breaches of 2018 so far have involved millions of users - and some of them have displayed startling negligence. FedEx, for example, stored customer data on an Amazon A3 bucket that was fully accessible to the public, compromising thousands of scanned documents.
GDPR exists to make businesses think about data and how they’re handling it. The goal is to standardise best practice in data handling across a wide territory with dozens of different protocols, standards, regulations and penalties - on paper, it improves data security for customers, and makes data processing easier for banks by providing one set of universal standards for the European territory.
Outside the EU, however, complying with data protection laws is a more delicate business, meaning that international operations - including global debt collection - need a broader awareness of legal responsibilities.
Requirements: governance and technical
Most coverage of GDPR has emphasised the governance aspect of the new regulations: the policies, processes and documentation, the appointment of data protection officers, and the retraining of personnel to ensure compliance by increasing awareness.
The technical requirements of GDPR have often been sidelined, but businesses who outsource or commission IT services cannot afford to ignore these requirements. It is critical that businesses and institutions select IT providers who are themselves fully compliant with GDPR and similar legislation.
IT developers are required to “put technical and organisational measures such as pseudonymisation in place to minimise personal data processing”, and design systems which do not demand any unnecessary data. If a customer’s date of birth is not necessary to do business with them, there is no justification for recording it. Debt collection systems are primarily concerned with accounts, contact details, payment and scheduling; other demographic data is arguably not something that should even be recorded.
Debt collectors with a court order on their side, or who are in pursuit of an uncontested debt, can contact their debtors at reasonable intervals. However, their legitimate interest and legal obligation rights exist in tension with the rights of data subjects, who can ask for access to a copy of their data, and for their data to be ‘forgotten’ when no longer relevant.
A particular problem emerges around the issue of consent. If a customer has taken out a loan and shared their personal data with the loan provider, who then passes it on to a debt collection agency, there is room for the customer to contest that they did not consent to this use of their data. Banks and other loan providers will have to be careful, ensuring that they secure specific consent for data to be passed to third parties where necessary.
Data protection outside Europe
Chilean lawmakers have explicitly modelled their new data protection legislation on the European regulatory standards, drawing on the expertise of the Spanish Personal Data Protection Agency. It’s expected that, within the next year, a GDPR-compliant system will be perfectly adequate within Chile.
GDPR also goes further than is required by Colombian and Peruvian laws. The former country does not include the right to be forgotten or the appointment of data protection officers; the latter is still introducing a sanctioning regime. However, the technical standards are otherwise similar.
Mexico has strong economic ties to Spain and the broader EU, with significant EU investment and ownership in its businesses. Although there is no specific extension of Mexican data protection legislation, a significant minority of Mexican businesses will expect GDPR standards to be upheld.
South East Asia
Only three of the ten Association of South East Asian Nations (ASEAN) countries have comprehensive data protection laws: the Philippines, Malaysia and Singapore. These laws have only been actively implemented for a handful of years, and mostly address the roles of governmental or educational institutions - not banks.
Two countries (Indonesia and Thailand) currently have specific data protection legislation in draft. Another four (Brunei, Laos, Vietnam and Myanmar) grant privacy rights to their citizens, in a framework that chiefly focuses on state power and correspondence interception.
Across the ASEAN as a whole, the 2016 Framework on Personal Data Protection provides a basis for speculating about the future. The Framework specifies the need for ‘strengthening personal data protection with a view to the promotion and growth of trade’, suggesting that the role of financial institutions could be built into future ASEAN legislation. In the meantime, debt collectors in South East Asia will have to lead by example, complying with the more advanced EU regulations and demonstrating good practice for debt recovery in the region.
Canadian data protection laws are similar to the European Union’s. The Personal Information Protection and Electronic Documents Act applies to private sector organisations that conduct business in in most Canadian territories, with substantially similar legislation applying in the remainder. Further legislation applies via the Bank Act, which does not necessarily supercede PIPEDA or its equivalents.
Meanwhile, in the USA, data protection legislation mostly applies at the state level, with federal legislation described by the Council on Foreign Relations as ‘piecemeal’. Privacy and security concerns are addressed via industry regulation, enforced by the Federal Trade Commission - a body with limited jurisdiction over banks and their associated organisations.
The Financial Services Modernisation Act regulates the collection, use and disclosure of personal financial data. It obliges banks and their partner organisations to provide notice of their privacy practices and an opportunity for data subjects to opt out of having their information shared. Three further regulations and industry-imposed standards apply to the protection and disposal of financial data.
Outside the newly-standardised EU environment, data protection regulations are a quagmire of distinctions, incompatibilities and uncertainties. GDPR is part of an overall drift toward customer-first legislation that defines data protection in terms of how individuals should be treated, but so far the EU is ahead of the game. Best practice for debt collection already comes from a customer-first perspective - which means compliance with GDPR puts the industry in a solid position for operations elsewhere in the world.
(CC) Pixabay https://pixabay.com/en/global-network-communication-3482850/