Privacy in the post-GDPR world
How should banks and other financial institutions rethink customer privacy and make it a differentiator?
As a consumer, what does privacy mean to you? How much value do you place on your privacy? And what do you expect of your bank or other financial institutions in protecting your personal information?
March 14, 2018
A blog post by Val Srinivas, Banking & Capital Markets research leader, Deloitte Services LP.
I would hazard a guess that there is no single, universal answer to these questions. That is because privacy, like many things in life, is in the eye of the beholder.1
And to complicate matters, one’s feelings about privacy may well depend on the situation—what information are we talking about, why does the other party have your information in the first place, where do these data reside, how are they protected, and, not least, who has your personal information?
As we collectively generate quintillions of bytes of data every day, much of them outside our control (think of the digital trails we leave), and as cyberattacks and information breaches become increasingly common occurrences, to say that concerns about privacy have only gone up could be an understatement.2 This is particularly true of privacy in a financial context. Not only are consumers becoming more vigilant about privacy, but they are also demanding institutions do more to safeguard their private data.
Not to be left behind, regulators around the world are also establishing new rules for companies to follow. Consider the General Data Protection Regulation (GDPR) in the European Union, which is about to take effect on May 25, 2018.3 This sweeping regulation will affect every institution that handles personal data of EU citizens. And, unlike regulations in the United States, which tend to be narrower in scope and generally protect only specific types of data (such as Social Security numbers) GDPR is more encompassing in that it includes any and all information about EU residents. No doubt, many American companies, including financial institutions, have yet to fully come to grips with GDPR.4
But, to step back a bit, what does privacy really mean? A number of privacy scholars have noted that privacy is “a concept in disarray,” “embarrassingly difficult to define,” and “an essentially contested concept.”5
Without going too deep into these arguments, I tend to agree with the view that we need a clearer definition of privacy, especially one that will stand the test of time and remain appropriate for the technological innovations to come.6
Figure 1: Seven types of privacy.
Source: Finn R.L., Wright D., Friedewald M. (2013) Seven Types of Privacy. In: Gutwirth S., Leenes R., de Hert P., Poullet Y. (eds) European Data Protection: Coming of Age. Springer, Dordrecht.
Forward looking framework
In the words of three academics—Rachel L. Flinn, David Wright, and Michael Friedewald—who studied this topic, what we as a society need is a “forward looking framework” that takes into account the impact of new and emerging technologies. They further argue that there are seven different types of privacy—ranging from privacy of the person to privacy of association (figure 1).
It is clear that these technologies will become more commonplace as the years go by.
Now, how could this typology apply to privacy in financial services? For one thing, it highlights the multidimensionality of the privacy concept, and suggests that as service providers who may have access to information about the different types of privacy outlined in figure 1, financial institutions need to think differently about how to collect, store, process, share, and protect each type of privacy.
Take, for example, the use of biometric data for identification in financial services. It is clear that these technologies will become more commonplace as the years go by. However, the application of biometrics may go beyond identification to include other analyses, where such data are combined with other personal information, such as location or social media behavior, to decipher an individual’s needs or preferences for financial services. So, in the privacy context, what are the expectations regarding the use of such biometric information? Do consumers need to be informed that such merging of private information is happening, and how such combined information may be used to serve customers?
I can imagine a number of similar questions that may be relevant to privacy as new technologies are used to target and serve financial services customers. But such examination would not be possible without a deeper and richer understanding of privacy in all its facets in today’s digital world.
My hope is that financial institutions think of privacy in a more nuanced, holistic, and meaningful way, rather than merely trying to satisfy existing compliance requirements. I would also hope financial institutions become more proactive and deliberate in envisioning how privacy might evolve over time, and in ensuring that privacy becomes an institutionwide mantra.
Lastly, I believe privacy management when practiced in the way I describe above can also be a differentiator in the customers’ eyes. Who knows what premium superior privacy management can engender? In other words, it is entirely possible that sound privacy practices by financial institutions could ultimately lead to better financial outcomes for the service providers.
1 International Association of Privacy Professionals (IAPP), “What is privacy,” https://iapp.org/about/what-is-privacy/ – accessed on March 2, 2018.
2 Lee Raine, “The state of privacy in post-Snowden America,” Pew Research Center, September 21, 2016.
3 European Union General Data Protection Regulation, https://www.eugdpr.org/ – accessed on March 2, 2018.
4 Steven Norton and Sara Castellanos, “Companies Scramble to Cope with New EU Privacy Rules,” CIO Journal, Wall Street Journal, February 26, 2018. https://blogs.wsj.com/cio/2018/02/26/companies-scramble-to-cope-with-new-eu-privacy-rules/; Jingnan Huo, “EU’s new data privacy law creates headaches for U.S. banks,” American Banker, September 20 2017. https://www.americanbanker.com/news/eus-new-data-privacy-law-creates-headaches-for-us-banks
5 Daniel J. Solove, Understanding Privacy, Harvard University Press, Cambridge, Massachusetts, 2008. http://www.ehcca.com/presentations/HIPAA16/solove_p2.pdf
Finn R.L., Wright D., Friedewald M. (2013) Seven Types of Privacy. In: Gutwirth S., Leenes R., de Hert P., Poullet Y. (eds) European Data Protection: Coming of Age. Springer, Dordrecht;
https://www.law.berkeley.edu/wp-content/uploads/2017/07/Privacy-is-an-essentially.pdf; James Whitman, “The Two Western Cultures of Privacy: Dignity Versus Liberty,” Yale Law Journal, Vol. 113:1151, p. 1151-1221, 2003-2004.
6 Community Research and Development Information Service, “Final Report Summary - PRESCIENT (Privacy and emerging fields of science and technology: Towards a common framework for privacy and ethical assessment),” 2015-01-20. https://cordis.europa.eu/result/rcn/155816_en.html
QuickLook is a weekly blog from the Deloitte Center for Financial Services about technology, innovation, growth, regulation, and other challenges facing the industry. The views expressed in this blog are those of the blogger and not official statements by Deloitte or any of its affiliates or member firms.