Privacy choices are inherently contextual, and individuals make different privacy calculi from one situation to another, deciding each time what and how much to share. The boundaries we negotiate depend on our expectations of what will happen to our information in each situation and how much we trust the recipient. For instance, you probably wouldn’t share the same information about your financial status with an acquaintance at work as you would with your tax advisor.
Negotiating privacy boundaries in the digital world, including inclusive finance, has become increasingly difficult.
The trouble is that negotiating privacy boundaries in the digital world, including inclusive finance, has become increasingly difficult. Trust in digital providers has dropped amidst well-documented data breaches and abuses. Trust is also challenged by consumers’ surprise over what data is collected about them. CFI’s research in Rwanda found that mobile money users who had applied for digital credit were upset that inputs such as airtime top-ups might be used as part of the underwriting process.
All of this is why, in honor of Data Privacy Week, which is celebrated every year in late January, we’re calling for the inclusive finance field to rethink privacy – specifically to shift it to the left. Shifting privacy left means bringing up privacy considerations early on in the product lifecycle and paying attention to privacy concerns from the outset, rather than just a final box to check for compliance once a product is already created.
Focus on Privacy by Design
One of the ways that people are rethinking privacy in inclusive finance is through an approach called Privacy by Design (PbD). The premise behind PbD is that because privacy is a core property of an IT system, it should influence the underlying system design, rather than be bolted on as an afterthought. In PbD, privacy considerations must therefore start at the ideation phase and be maintained throughout the product lifecycle. This stands in contrast to the compliance-driven approach that typically brings privacy into the discussion after all major design decisions have been made. Popularized by Dr. Ann Cavoukian in 2009, Privacy by Design is most notably mentioned in Article 25 in the GDPR.
Despite enthusiasm for the approach and privacy as a value-proposition to consumers, there are limited resources to operationalize Privacy by Design, particularly for organizations like inclusive finance fintechs operating in emerging markets and serving low-income consumers. Last year, CFI conducted a literature review to better understand how PbD has been implemented and its potential for inclusive finance. The results, shared in a report entitled Embedding Trust: The Potential of Privacy by Design in Inclusive Finance, landscape the various approaches to PbD in the legal, engineering, UX/UI, and academic fields. While each of the approaches, outlined in the graphic below, provided valuable tools, there were few examples of holistic approaches that product teams could use to embed privacy throughout the design and development processes.
CFI believes that five key considerations should guide any applications of PbD in inclusive finance:
1. PbD should be positioned as business-enhancing.
Because privacy has historically been seen as a compliance-related cost, to encourage private companies and fintechs to employ PbD techniques, PbD needs to be presented as a business-enhancing design benefit.
2. PbD needs to be adapted to work for resource-constrained companies and emerging markets.
Because PbD has been developed and largely implemented in developed countries, little work has been done to date to make PbD approachable and operational outside of those contexts.
3. PbD should incorporate low-income and vulnerable consumers’ offline privacy needs in addition to privacy for their digital data.
In considering the user and his/her privacy capacities and needs, PbD can bring customer-centricity into the data-intensive aspects of digital financial products.
4. PbD must balance consumer privacy preferences with companies’ needs.
When implementing PbD, it will be important to consider both the information that companies must collect to be able to perform their work, as well as the privacy preferences of consumers. A balance must be found to ensure that a product will function without compromising consumer privacy.
5. PbD must articulate privacy responsibilities across disaggregated value chain and partnerships.
Consumer data can sit and be shared across multiple organizations in today’s modularized fintech ecosystem, and not all actors in the value chain have equal power and influence.
Moving forward, CFI is working to create a PbD playbook for fintech product teams to embed and position privacy as a core value proposition to consumers. The playbook aims to help product managers – in their role of facilitating product development by technical staff (data scientists, engineers, UX/UI, etc.) — define the user journey and set metrics for product success, and ultimately present a strong opportunity to embed privacy. While product teams are key to executing Privacy by Design, a fintech’s executives and leadership must also recognize the business value of investing in privacy for it to succeed. Similarly, investors and funders need to prioritize privacy and realize the value of embedding privacy into design from the outset, not only because it is the right thing to do for consumers, but also because it is increasingly important to their bottom lines. By increasing awareness of Privacy by Design in the inclusive finance space, we can make strides in ensuring that consumers are protected and help build trust in digital finance.