This is part 2 of the two part series on data privacy & its impact on digital lenders. Part 1 explores the current and proposed legislation around data privacy in India. Click here to read Part 1 .

Digital lending witnessed unparalleled growth in India owing to lower origination costs, higher customer-centricity, better user experience and favourable market conditions.

With this paradigm shift, lenders are interfacing with more data than ever before and need to catch up with upcoming data privacy legislation.

Following recommendations will help digital lenders stay compliant with the existing and upcoming data privacy laws and regulations.

1. Explicit Consent Communication

Digital lenders must focus on the following aspects of consent communication

• Free : There must be no fee/charge for accepting or denying consent

• Affirmative Action : Consent should be taken after an affirmative action like a button or voice command. It shouldn’t be directly thrown at users out of context.

• Specific : Consent should mention the exact data points to be collected

• Clear : Consent communication should be unambiguous and non-abstract

• Informed : Customer must be informed about the intended use of the data

Consent should be Specific, Clear and Informed

• Revocable : Customer must have the option of withdrawing the consent and stopping data collection

Consent should be Revocable

2. Privacy Policy

A privacy policy is a statement or a legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client’s data.

Customer must agree with the privacy policy before commencement of data collection. A well-defined and comprehensive privacy policy is the best way to steer clear from the concerns of regulators and customers.

Do’s and Don’ts of a Privacy Policy

3. Third-Party Partnerships

Maintaining data privacy requires the highest standards of Information Security. Lenders must evaluate the Information Security standards of their partners. The hygiene factors in a third-party for a compliant partnership are —

• Should be compliant with ISO 27001 or similar certifications

• Location of servers hosting customer data should be India

• Should follow encryption of data in rest & motion

• Should tokenize sensitive Data

• Should have defined incident management & business continuity plans

• Should have a data backup and recovery process

FinBox is an ISO-27001 technology product company working with banks & NBFCs to digitise their customer journeys & to help them underwrite NTC customers using alternative data from the smartphone.

We have created a check-list to evaluate third-party vendors on Data Privacy and Information Security standards. Please fill this form to get your copy mailed to you .

Please feel free to reach out to me at harsh@finbox.in for a discussion around data-privacy and digital lending.