GDPR versus Identity Verification – Are you Ready?
If you are an organisation that is based in the EU or are doing business with companies in the EU where you have either direct or indirect access to some sort of personal information of EU citizens then this is important for you. The GDPR or General Data Protection Regulation is about to be implemented in a couple of months. It is literally a game changer on the way companies will manage the personal information of individuals. This is even more sensitive a matter for companies that require identity verification and heavily rely on digital KYC such as banks, e-commerce sites and the likes. As heavy fines and strict action awaits businesses that will not comply with these regulations therefore it is important that corporates get updated regarding the GDPR in order to become compliant. In this article we will cover the crux of the new EU data protection act and its impact on organisations that rely on online identity confirmation. We will also discuss about solutions to make life easy for these companies.
What do the Regulations Cover?
The first question that should come to mind is — so what do these regulations cover? The answer is that it covers the protection of user data in almost every possible way. For a business to be GDPR compliant they must not only make sure that an individual’s data is secure, but follows up on the way it is handled. It must allow the customer, or user, access to monitor, control, view and if they want, delete any or all information about them if they wish to.
In order to achieve its goals of protecting user’s data, GDPR encourages that companies make the information such that it cannot be traced back to the user or that it be stored in a manner such that it is not placed together but separately and if required can be put together again; this is to ensure user privacy. The third option it promotes is that the data be coded so that it cannot be read unless you have the key to the code i.e. data encryption. Some organisations might require getting specialised personnel to manage and secure the data, known as DPO (Data protection officer), these are certified data handling and protection experts.
Even with all the strictness, there are certain exceptions where companies can collect and process data without specific consent. These include data related to cyber security, employee data, national security, etc.
The crux of GDPR is that the protection of user data must be done with specific, concise and transparent processes and communication protocols.Basically, the user has the right to know what will be done with the information, where it will be stored and for how long, etc. Also, all data that is gathered must be with the clear consent of the user. The companies handling the information also need to have certain protocols in place in case there is a leak in the personal data i.e. it needs to inform proper authorities within 72 hours and the end user right away.
Identity Verification is Important Too
Given that most online businesses are unable to physically see their customers and online users, there will always be the requirement for identity verification. It is something that is essential now more than ever as more and more organisations and businesses are providing services and goods utilising the power of the Internet. This is not only to save cost, but also to provide convenience to the end consumer. The problem that arises is that since no physical presence of an individual is present / required, certain miscreants take advantage of this situation and carry out identity thefts and scams to cause financial loss to Users and corporations. For this, companies heavily rely on digital KYC (Know Your Customer) services and processes to confirm identity and consequently minimise fraud. This is extremely essential for Banks and financial institutions that provide online financial services such as opening an account, making payments and transfers, to paying taxes and mortgages. Since online services are here to stay and as the general population turns to the Internet for their ever increasing needs, knowing who’s who is becoming imperative.
What GDPR Means for Online Identity Verification?
The question that most businesses that use digital KYC processes are asking is — what will be its impact on KYC services and its providers? The new data protection act understands the importance of identity and the protection of it, hence it is not that it will be stopped. On the contrary, companies that require such confirmation will need to make sure that they secure the information that they get and at the same time make its use clear, easy-to-understand and transparent for the individual. So if a company is using such a service to make sure that they have been provided the credit card number of the right person; they need to make sure that once they have gathered the data and confirmed the identity they should tell the customer what they will do with it. Will the data be deleted or kept? If kept, for how long and what measures have been taken to safeguard it. All this needs to be done with the clear consent of the individual in concern and the user should have the right to delete his data if they wish to.
What about Third-party Verifiers?
Most e-commerce businesses as well as banks, financial services and goods’ providers use third party identity verification services. The fact that the process is outsourced does not exempt the company from being GDPR compliant. In fact, not only the company outsourcing the process but also the company handling the digital KYC will be required to be compliant with the new act. Even if the company is located outside the EU; if it is handling the personal information of EU citizens they need to ensure compliance. Given the extravagant fines and strict actions it is essential for organisations to make sure that they outsource verification(s) to reliable and GDPR compliant companies. That have the expertise to handle and protect the data without incident. Also they should have in place processes and protocols to handle breaches and to inform and act in accordance with GDPR regulations if one was to occur.
The GDPR is a reality that is going to be implemented and the sooner companies and organisations get compliant the better it will be for them. To say that time is short would be an understatement the regulation is to go into full effect near end of May 2018. The best possible bet would be for companies to either get third party help similar to the businesses they use for their online identity verification services, or they can opt for specialists such as DPOs who can help align the company according to the new act.