Post-PSD2: Use of data between added value for customers and data sovereignty
The digitisation of business processes brings many benefits not only for businesses but particularly also for citizens: using data-based analyses, their behaviour and thus also their wishes and needs can be better ‘understood’. This allows businesses to offer customised products at the right time and thus deliver individual added value.
Particularly the Second EU Payment Services Directive (PSD2) shows, on the one hand, how much interest there is in using account data to offer services and, on the other hand, how important it is to at the same time give citizens control over how account data is disclosed and used.
In order to reconcile added-value services and control for citizens over their own data, policymakers and market participants should base their actions on the following requirements:
1. Added value for citizens through use of data
Citizens can be offered significant added value through use of their data without restricting protection of their data or their privacy.
Digitisation allows new added-value approaches from which customers can benefit in the form of better, i.e. high-quality, quick, simple and low-priced, products and services. Significant added value is created, for example, by
- identifying customers’ actual needs,
- customising products and services
- protecting customers against financial losses and
- enabling banks to managing risks more accurately.
Legislators and data protection supervisors are therefore called upon to create a suitable framework for the use of data while at the same time ensuring that data is protected.
2.User-friendly transparency on the use of data
Providing transparency on the use of data geared to the customer’s needs is the right approach to strengthen the customer’s data sovereignty and create trust in disclosing data for innovative products. This requires developing and implementing practical transparency approaches and control tools.
Today’s data privacy policies often make it virtually impossible for customers to obtain a picture of how their personal data is processed. Additional guidance in the form of an easy-to-understand, uniform code – like the ‘traffic light’ food labelling system – should be provided. A customer-friendly transparency approach should therefore comprise two levels:
- Simple, easy-to-understand consumer information on the use of data, e.g. in the form of symbols.
- Detailed legally binding information on and explanation of the symbols, e.g. on a website or upon request.
3. Easy-to-control data use via a data dashboard
Besides sufficient transparency, citizens should be able to control and track use of their data by providers more easily and conveniently than in the past. In this way, they would be empowered to exercise control over their data consciously and independently.
In practice, the large number of counterparties and different types of contract that individuals face make it virtually impossible for them to keep track of who may use their data, what for, and to what extent.
An effective means of control could be a cross-provider data protection dashboard allowing users to recognise and determine at a glance what data is used by what providers for what purpose and to what extent. Users could also specify via the cockpit what online companies they share full personal data with and whom they would only like to deal with using a pseudonym. Authorisation given to access data could also be subsequently altered or withdrawn; for this, there should be an access protocol.
A cockpit solution could be made available, on the one hand, by data-processing companies within the user profile but, on the other hand, also by trusted third-party providers that bring together data and identity management – like the personal finance management services aggregating bank accounts – in one place.