The money transfer industry has been rapidly expanding in the past couple of years. Experts estimate the the money transfer industry represent $600 Billion with millions on customers sharing their personal data.
As a result, money transfer companies are hard at work to push the boundaries of money capability, endeavouring to turn the traditional one-way transaction into a two-way interaction. And while great strides are being made towards this end, data protection and security is a paramount concern for everyone involved, from platform to enterprise to end-consumer. Although money transfer companies are proven to be safe and effective, consumers should still be aware of what it means to protect their data in a digital-driven age.
Why should consumers be concerned with data protection?
Since the dawn of the internet, security has been a concern. Personal information is used on a great many services and sites—including (but not limited to) your name, address, email, phone number, age, gender, nationality, ethnicity, religious affiliation, and even spending habits.
It’s not at all uncommon to share some aspects of your personal data with a service or site, whether it’s for the purposes of verifying your identity or creating an account. However, some unscrupulous companies may sell your data to third parties, which use it for targeted advertisement. While this may not sound so terrible, it’s the security of these third parties (who now have your data) with which to be concerned.
What does the law say about data protection?
On 27 April 2016, the European Parliament adopted a new law known as the General Data Protection Regulation, or GDPR for short. The GDPR will come into full effect on 25 May 2018, and is applicable to all twenty-eight member states of the European Union.
The GDPR will apply to any company that collects, processes, and stores the personal information of EU citizens—which means that it will be equally enforceable to enterprises outside the EU that work in any way with its people.
What is the goal of the GDPR?
The GDPR was created with the intention of unifying and strengthening the protection of personal data, aiming to give control back to individuals regarding how their information is stored and handled.
Enterprises that collect personal information will be required to gain the explicit consent of each user, and to explain, in no uncertain terms, why they are collecting said information and how it will be used. Additionally, they must grant the user complete control over their information.
How are companies preparing for the GDPR?
Come May 2018, companies that collect personal data must be GDPR compliant. To do so, they must appoint a data protection officer to ensure that all measures of responsibility and accountability are met according to the guidelines of the GDPR.
Here are just a few ways in which companies must be GDPR compliant:
- Define the correct documentation of processing activities
- Ensure privacy by design (which means to design data protection measures into the development of business processes)
- Enact an impact study that identifies potential data breach risks
- Take necessary action to reduce such risks, based on the impact study
Moreover, once these procedures are established, it will be the responsibility of the data protection officer to enforce them, conduct audits, and ensure that personal data is protected by the new regulations.
As a money transfer company, what should we do?
The first thing to do is to appoint a DPO, responsible for the management of personal data, whatever the size of your company. The DPO should then map the personal data of your company, determining the following:
- Which pieces of data are collected? Among them, which are personal data and which ones are sensitive?
- When are they recorded? Before the user communicates with the platform, does it inform him/her of the collection of his/her data?
- Where are they kept? Are there provisions to protect them?
- Who can access this data?
Once the mapping has been completed, the DPO will have to put in place procedures to ensure data security. These procedures have to fix the following points:
- Are the media (computers, flash drives, hard drives, etc) that may contain personal data encrypted to avoid leaks in case of theft?
- Is the password policy strong enough to secure the access of data owned by the company?
- Could the company anonymize the collected data to ensure personal data protection while maintaining the possibility to produce statistics?
- Are there procedures for :
- collecting the consent of the data subject?
- informing the data subject of his or her rights towards the data?
- answering requests for information by the data subject?
- ensuring the detection of data breaches?
- Has the company planned a Data Protection Impact Assessment, to evaluate the level of data protection security deployed by the company, and the weak points of the device?
- In case of a data breach, what are the procedures planned to communicate the incident to the authorities and to the subjects concerned?
- And finally, has the company defined a code of conducts to act ethically and protect personal data?
Once the procedures have been established, the DPO will be responsible for enforcing them, including conducting audits and communicating to the team, making them aware of the procedures and the matter of personal data protection.
The ability of money transfer companies to aid in automated tasks, such as updating consumers, obtaining consent with data usage, and offering prospect options, will prove valuable to enterprises that employ them as the GDPR takes effect. With unparalleled security and the added value of two-way interactions, the Fintech era will only expand as more regions seek to duplicate the efforts of the EU and put control of personal data back into consumers’ hands.