With ever-expanding and increasingly-complex data sets under the control of almost every financial service provider (FSP), there is an opportunity to unlock the value and potential in that data.
One option is the ability to crunch the numbers to understand trends and develop insights from these large data sets. For example, an FSP might want to determine when is the most or least popular day of the week for sales of widgets in a given area. These insights can be incredibly valuable to merchants, customers, and other third parties. However, navigating the data protection risks of using customer data can be tricky. We set out how FSPs can negotiate some of the key obligations under GDPR when developing insights and identifying trends.
What are insights?
At the risk of using Silicon Valley buzzwords, “insights” are aggregated analytic conclusions or patterns extracted from large data sets, often using learning algorithms, artificial intelligence, or machine learning. For example, a FSP might analyse card transactions, extract consumer spending patterns, and prepare reports of insights and analyses.
Insights are primarily used in three ways:
- For internal use, to help the FSP improve its own service
- For customers, such as merchants seeking to understand their own customers
- For third parties, such as local government or businesses
What GDPR basis should we rely on?
Under the GDPR, FSPs will have to identify a lawful reason, or a legal basis, to develop insights from individuals’ personal data, such as from their purchases and transactions. While the resulting insights and trends should not constitute personal data, the initial data sets will. GDPR will therefore apply to that analysis and aggregation.
Given the challenges in obtaining valid consent, and on the basis that insights and analyses are unlikely to be necessary to perform a contract with those individuals, the legitimate interests basis appears the more viable option. However, developing insights based upon legitimate interests presents two key challenges:
- The FSP must ensure that its and/or a third party’s legitimate interests in developing the insights are not outweighed by the individuals’ rights and interests
- The FSP must give individuals, whose data is being analysed for insights, the ability to exercise a right to object to that analysis
Balancing the books
To ensure that the interests in developing the insights are not outweighed by individuals’ own rights and interests, a legitimate interests assessment (LIA) must be undertaken in advance. In essence, this involves carrying out a balancing test between these competing rights and interests. The aim is to ensure that the result of this balancing test falls in favour of developing the insights, which might involve the introduction of additional safeguards to protect individuals’ data.
When carrying out a LIA, it is worth bearing the following in mind:
- Transparency is a key component of GDPR compliance, and a high degree of transparency will assist in balancing the LIA
- The proposed processing should not come as a surprise to individuals and should be within their expectations, bearing in mind transparency disclosures
- Individuals have the right to object to processing based on legitimate interests, and a mechanism for dealing with objections will need to be implemented
- Financial and transactional data is likely to warrant the need for additional safeguards, such as ‘need to know’ and ‘least privilege’ access
- Applying the principle of data minimisation: the earlier the data is aggregated or depersonalised, the better the chance of balancing the LIA
- Resulting information should be sufficiently aggregated or anonymised so that individuals cannot be identified or singled out from any group
Depending on the specific circumstances, it might also be necessary to carry out a data protection impact assessment (DPIA). The key takeaway here is to think through your insights processing fully and ensure that the necessary limitations and safeguards are built in before any analysis takes place. We consider some of the obligations in more detail.
Transparency is a key principle of GDPR. In relying on legitimate interests, transparency obligations are arguably increased, particularly to ensure the LIA supports the proposal. The key is both informing and managing the expectations of individuals. FSPs must ensure that the development of insights, for example by collating and analysing card transactions, does not come as a surprise to customers. While this might be common practice in certain online services, there are different norms and expectations for financial services that FSPs should consider.
In addressing transparency, FSPs can augment their privacy notices, prepare linked pages, and add help centre articles. However, informing individuals with whom the FSP does not have a direct relationship, such as individuals using in-store point-of-sale (POS) devices, can be more challenging. Providing notices at POS devices, such as using innovative approaches like QR codes for easily-accessible further information, could be of assistance here. GDPR recognises these challenges and provides that where it would involve disproportionate effort to inform all individuals, making the information publicly available can suffice.
In short, regulators are less likely to take issue with insights analysis where it is clearly explained to individuals, and where these individuals can then object to that analysis.
Highlighting the right to object
Under GDPR, individuals have a right to object to any use of their data were it is based on legitimate interests. While the right is not absolute, upon receipt of an objection an FSP must cease processing of an individual’s data unless the FSP can show compelling legitimate grounds which override the objection. For insights and analytics uses, this would be unlikely.
Helping individuals understand their right to object, and providing a means by which they can do so, can be practically challenging. Strictly speaking, GDPR requires that this right be explicitly brought to the attention of individuals in a timely fashion, and be called out clearly and distinctly from other information. There is added complexity if the individuals in question are not customers of the FSP, but, for example, merely interact with a POS device. Similar to the broader transparency obligations, it may not be enough for a FSP to only mention the right to object on its privacy notice. The FSP might need to again think creatively about how these broader groups of individuals can practically exercise their right to object.
Be wary of processing old data
Once FSPs have balanced the risks and allowed for objections, they will need to consider what data they can process. It might be tempting to run analytics on reams of past customer transactions, but that can be risky. GDPR has strict rules on purpose limitation, which limit the uses of existing data for purposes not already described in the privacy notice. Data cannot be processed for new purposes that are 'incompatible” with the original purpose(s) described in the privacy notice or other transparency documents. If customer credit card transactions were previously collected for billing purposes, insights processing may be “incompatible” with billing, and the old data might not be available for use. This means FSPs might need to create new databases to separate data that can and cannot be processed, or develop other solutions to ensure purpose limitation is respected.
A final, but important, consideration when developing analytics and insights reports is that individuals should not be identifiable from the report. This ensures therefore that no personal data is contained in the report. FSPs must ensure that that sufficient aggregation and anonymisation methods are applied. The test is that it should not be possible for anyone, using reasonable means, to ‘single-out’ an individual from any analyses or insights, even if they cannot be named. For example, samples sizes should contain a minimum number of individuals so that someone’s spending pattern would not be reasonably discernible with additional information.
While processing for insights and trends can be a valuable tool for FSPs, it’s important to ensure that individuals’ personal and financial data is protected. However, with good transparency and sufficient safeguards in place, FSPs have the ability to unlock the potential value across the data sets they control.
For more information on the GDPR compliant use of customer data for the development of insights, contact a member of our Privacy & Data Security team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.