31
AFI GUIDELINE NOTE ON DATA PRIVACY FOR DIGITAL FINANCIAL SERVICES
MINIMALIST DP4DS APPROACH FOR FINANCIAL SECTOR REGULATORS This proposal contains suggestions as to the minimal actions that financial sector regulators might take in the interim period before there is a comprehensive data protection law in place. 1. CONDUCT HIGH-LEVEL ASSESSMENT OF THE DFS MARKET AND RELATED DATA PRIVACY RISKS > Cover both public and private sectors, including products, providers (traditional and FinTech based), delivery channels, customer segments, types of data used and analytic tools. > Develop methodology for assessing privacy risks in DFS business models from e.g., information sources, information sensitivity, use cases and systems interconnectivity. > Consider especially, the needs of vulnerable groups. > Consider financial inclusion objectives.
2. ESTABLISH CONSULTATION MECHANISM FOR NEW DP4DFS RULES Include public, private, and civil society representatives and ensure both traditional and FinTech entities are consulted.
3. ESTABLISH RISK-BASED CRITERIA FOR DEFINING ‘SIGNIFICANT’ DFS DATA CONTROLLERS Such criteria could cover, e.g.: > Volume and sensitivity of data processed > Number of data subjects > Turnover > Risk of harm to data subjects e.g., on basis of discrimination or bias > Use of new technologies for data processing, such as automated processing and profiling
4. DEVELOP NEW DP4DFS RULES Risk-based priority rules could cover: > Privacy by design and default governance and resource arrangements
> Transparent information for data subjects about data processing > Effective and informed consents > Rights to access and correction, and to object to processing > Recourse for data subjects with complaints ( e.g., as to compensation or data correction)
5. CONSIDER ALSO RULES FOR ‘SIGNIFICANT’ DATA CONTROLLERS AND PROCESSORS ules could cover, e.g., needs for registration; Data R Privacy Officer; privacy impact Assessments; breach reporting to regulators and to data subjects; and independent assessments of compliance.
6. BUILD CONSUMER AWARENESS OF DP4DFS Have specific focus on the diverse needs of vulnerable groups, education on data privacy risks with DFS, and related rights and responsibilities.
7. MAINTAIN ONGOING CONSULTATION ARRANGEMENTS WITH KEY STAKEHOLDERS or example: key ministries and regulators, FinTech F and traditional DFS data controllers and consumer associations.
