Data protection bill forces fintechs to invest for better customer data management
Introduction of the Digital Personal Data Protection Bill, 2023, is seen forcing fintech companies to invest and build better customer data management to ensure compliance with the provisions of the Bill.
Given that the fintech industry is young, data collection so far has been driven by the objective of gathering information rather than giving consumers the power to review or ask about their data.
With this latest legislation, fintechs will now have to put in place mechanisms to allow users access and final say over their data, industry players said.
“There is a very clear articulation about the right to erase, correct and withdraw consent (in the Bill). These are three key areas across which users should be able to enquire about their personal data, and suggest if they want some data to be corrected or erased. Today, that is not very prevalent because users do not have that choice,” said Abhishek Kothari, CEO, Pepper Money India.
Digital lenders are expected to fare better given that customer experience and grievance redressal are already part of their regulatory oversight. It is the smaller and non-lending counterparts that are expected to see a bulk of the implementation impact because in the early stages the focus is a lot more on growth and customer acquisition than compliance and data management.
Further, requirements such as seeking proof-of-age to ensure children’s well being will be easier for digital lenders where such information is part of the KYC, but it will be harder for fintechs who are focussed on teens and young adults.
“While some businesses had already began preparing themselves for the new set of compliance, it could be complex for some players to implement the guidelines. There can also be increased cost of implementation and compliance and requirement for additional resources and awareness,” said Kumar Shekhar, Deputy Country Manager, Tide India, adding that developing a plan will also depend on other finer details and the date of implementation.
Even so, industry players believe that these stricter guidelines are binary issues and can be managed. What is more challenging from an implementation and operational standpoint are the provisions which need to better defined or layered for effectiveness.
These include mechanisms for data breach notifications in terms of quantifying data breaches and the standards to be followed for dealing with and auditing of data breaches.
“Companies are required to delete the data if it no longer serves the intended purpose. In the life of an organisation, especially a fintech where the intent is to cross-sell multiple products over a period of time to a household not just an individual, the bigger question is deciding if it serves the intended purpose,” Kothari said, adding that implementation of such things will take some more planning and strategising but are steps in the right direction.