In response to the seemingly endless flow of data breaches and misuses of personal data, governments are increasingly responding with penalties, hearings and new laws and regulations. Perhaps the most widely known is the European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018 and has quickly become a global benchmark, as many of the data protection regimes emerging around the world appear to embrace the same basic principles that are at the core of GDPR.
As the growth of the digital economy continues to fuel the expansion of consumers’ data footprints, we’re also hearing calls for new approaches to data protection that advances in digital technologies should be making increasingly possible, at least in theory. But in the recent research and interviews we conducted on the current state of data protection in India, Ghana and Peru (thanks to a collaboration made possible through the Credit Suisse Global Citizens volunteer program), we encountered a divide between governments and providers that surfaces when you get beyond principles and into the specifics of their application.
As usual, the devil is in the details.
For example, in responding to a question about how data protection laws and regulations in Ghana may be impacting the extent of data sharing among providers seeking to reach underserved segments, Clarissa Kudowor, Deputy Chief Manager of the Payment Systems Department, Bank of Ghana, wrote, “Whatever the arrangements/partnerships, we expect them to apply the universally accepted principles of data protection under Section 17 through to Section 34 of the Data Protection Act, 2012.” But achieving alignment between policymakers and providers on how best to apply these principles may be easier said than done.
Achieving alignment between policymakers and providers may be easier said than done.
For instance, in talking about data protection seminars offered by the Ghanaian government, Elorm Allavi, the CEO of SyeComp, a fintech which uses data from smallholder farmers for its mfarmPay credit product, said, “Seminars are for awareness creation, but in terms of the technical side, they’re not there yet. They don’t understand how we use data.” This is but one example of the gap that exists between governments and providers in advancing data protection in their countries. But where there are problems, there are also opportunities.
Recognizing how vast of a topic this is, we have chosen to focus on three key aspects of data protection that surfaced during our research.
-
Consent
-
Localization
-
Regulatory capacity and fragmentation
We will dedicate one blog post to each of these issues, starting next week with consent. Over the coming weeks, we will explore these topics – plus alternative data legislation and vulnerable populations in the U.S. – in a CFI Blog series, “Data Protection and Financial Inclusion: Why It Matters Now.” Join us as we dive in to these issues from a financial inclusion perspective and our unique position as an industry engager.