Blog > GDPR and its implications for banks using chatbots-Part 1
“Spectacular achievement is always preceded by unspectacular preparation.” -Robert Schuller.
Well, GDPR is here! It has been in effect for more than three months.
Since its implementation, GDPR has created not so pleasant ripples for businesses. To begin with, technology giants like Facebook, Instagram, Whatsapp, and Google Android were hit with lawsuits on the very same day GDPR taking effect. Imagine this happening to Facebook and Google Android OS who had been preparing for the EU general data protection regulation (GDPR) regulations for 18 months. The lawsuits are a whopping US$8.8 billion approximately.
Banks and financial institutions have scored high on complying with GDPR requirements in handling data of customers who are EU subjects. But, it’ll be interesting to analyze what the implications are for banks implementing chatbots. And what are the practical implications of GDPR for banks using the services of an AI vendor?
In this 2-part series on GDPR and its implications for banks using chatbots, we’ll discuss the specifics of how GDPR affects this area and the gaps in compliance.
Note: The information shared in this series is based on Payjo’s learning from our ongoing live implementation at a leading bank in the EU, with the presence in 5 countries.
With the growing trend of customers conducting their banking transactions across channels such as websites, WhatsApp, Facebook messenger, etc., and through a chatbot interface, the data privacy and security concerns are huge. How are banks reacting to this?
In this two-part series we’ll discuss the critical questions/challenges to be considered by banks and financial institutions, third party service providers and platform providers operating within the European Union (EU) and the European Economic Area (EEA).
Image 1 – GDPR Structure (Source: IT Governance Ltd)
In a survey conducted by EY among C-suite leaders in early May 2018, 63% of the respondents were aware of GDPR but were still not fully compliant. The respondents were from IT and ITes, healthcare, pharmaceuticals, automotive, media and entertainment, banking and financial services. The major challenges for banks were lack of knowledge about compliance requirements, inadequate training, lack of tools and in-house support from the leadership team. Of these respondents, 70%, have reportedly increased their firms’ privacy budget for the next year.
US has always been the hotbed for implementing AI-based technologies for optimizing banking services. A survey by Accenture revealed that 71% of customers in the US would prefer automated/ self-service support for banking. Large US banks have significant presence in the EU and now they have made significant investments in technology, resources, and collaborative partnerships to ensure GDPR compliance.
With strict regulations governing third-party service providers for processing bank’s data, regulations act as the legal relationship between the data subject and data controllers.
Data Processor – Data processors are organizations who have access to customer’s personal data, who collect and analyze this data on behalf of the data controller. This can be done both by banks through in-house application development and data processing or by outsourcing the activity to third-party service providers.
Data Controller – Data controllers are banks who manage personal information from customers for data analysis and processing. They are the controllers and define the means and purposes of personal data, the flow of information and data security.
Data Subject – Data subjects are individuals (customers) who share personal information with banking platforms and websites.
Accountability – GDPR enables full authority and flexibility for individual customers to hold the bank accountable for use of their personal data.
Right to know – Banks also have to notify customers and appropriate national bodies about whether data has been breached/attacked. This will enable people to take necessary measures on priority.
Data Erasure – Similarly, data shared to data brokers or data processors can be erased from websites or platforms if the customer does not want their personal data to be processed. The ‘right to be forgotten’ action increases customers rights and their freedom to enable deletion of data with NIL grounds of retaining the same.
With more customers opting for the erasure of information, there is the danger of businesses not having enough information for analysis, insights, etc. But, that is a paranoid thought to entertain as we believe the number of such customers would be negligible.
“Data controllers can share data with data processors also export data to third countries or third country from the perspective of GDPR. Data can be shared within the European area with strict regulations for both commercial and legal purposes by setting clear obligations on legal data,” says Alan Clader, CEO of IT Governance Ltd, UK.
– Determine the lawful basis for processing clients’ data
– Prepare for the right to data portability and right to erasure
– Hire a data protection officer (DPO) – most banks will employ a DPO to oversee the organization’s regulatory compliance
– Define a data breach reporting process, determine the responsibilities and obligations of data controllers and processors
– Transfer of client data.
In Part 2 of our series on the GDPR impact for Banks using chatbots, we will discuss specific details on what a bank using chatbot (or deciding to implement one) should do to ensure they are compliant, what are the technical or architectural requirements expected of a vendor you are evaluating for chatbot implementation, how customer requests to access, edit or delete data can be honored.