How Digital Lenders Are Securing Your Personal Data While data can deliver immense value, it comes with the associated risks of misuse or misinterpretation of data which every organization needs safeguarding from in order to protect public and private users' interests

Data has become the most valued commodity in the 21^st century. In this era of rapid digitization and increased pace of businesses migrating online, public and private data is utilized extensively either individually, in combination or as inferences drawn from the base data.

While data can deliver immense value, it comes with the associated risks of misuse or misinterpretation of data which every organization needs safeguarding from in order to protect public and private users' interests. One such example is the digital lending industry, and its lenders are striving continuously to ensure bullet-proof data protection by employing a combination of physical, electronic, and procedural checks.

Given the sensitive nature of data created and accessed in lending operations including data collection, processing, storage and management, it is imperative that digital lenders employ best practices in cybersecurity as well as establish ethical guardrails around use of customer data.

The current gold standard of policies geared towards personal data security are the European GDPR norms.

In India the government has made endeavours to increase the level of protection offered to citizens under law.

The IT Act, 2000 and the IT Rules, 2011 together form the regulatory mechanism to ensure personal data and privacy protection. Additionally, personal data is protected under Article 21 of the Indian Constitution, which guarantees every citizen his/her right to privacy as a fundamental right.

In 2019, the government of India had issued the Personal Data Protection Bill, which when passed will be India's first all-encompassing legislation on the protection of personal data.

While GDPR has a seen adoption in the western world and we observe a clear movement of these norms travelling eastward with the likes of Apple and Google leading the charge, the role of the industry in delivering protections to its customers cannot be undermined.

With this paradigm legislation shift in the offing, digital lenders need to deploy a host of infrastructure, policy and process changes in order to become compliant.

All aspects of the data lifecycle need an open debate from data collection, ensuring consent, security and usage.

Ensuring explicit consent communication is the cornerstone of this compliance framework where lenders must focus on ensuring that the communication is true to the spirit of being free, specific, clear with the intention to inform the customer of his/her choices. It is the onus of the lender to make clear to the customer how the data will be collected, stored, used and what is the process to revoke such consent.

Having a fiduciary duty towards its customers, a digital lender must ensure that they partner with third parties that maintain the best standards of data security to ensure their customer's complete data privacy. Using best of breed encryption (symetric and asymmetric capable) standards like AES/PGP for both data in motion and at rest, advanced 2FA security models, regular VAPT/data security audits and vendor reviews need to become baseline standards in all organizations who want to thrive in this new data economy.

Technology teams also need to dedicate time on keeping themselves abreast with latest developments like honey encryption and quantum key distributions etc which will evolve very quickly of the next few years.

Companies need to adopt a "built on cloud' infrastructure model for all their technology and data workloads, this will allow them to leverage a lot of very advanced compliance and security feature sets that are now becoming the standard on most public clouds. The cloud security alliance has published a list of all cloud providers and services along with their certifications under various compliance norms.

Moreover, concepts such as tokenization, real time DRP and change data capture need to be on the product roadmap of companies that want to lead the way.

Ultimately the risk of intrusion or unauthorized access cannot be eliminated completely, cyber security is advancing at a rapid rate which is only matched by the advance in sophistication of attacks.

While lenders are extremely careful in guarding their own reputation, they must not forget their responsibilities towards the explicit trust bestowed upon them by its customers. Any loss of this trust in a crisis can be devastating in terms of both businesses, and the amount of trust that customers would want to put in the lender in the future. It is therefore paramount that digital lenders stay ahead of the evolving cyber threats by collaborating with innovators to achieve even higher customer data security and privacy standards, more customer centricity and better user experience and continue the amazing growth trajectory that the Indian digital lending space has witnessed over the past years.

The modern-day digital lending landscape in India presents an opportunity to lead the way and set the standard.

The change needs to originate from within as an industry wide shift in mindset, to rely upon governments to enforce rules and compliance is an unfair ask. The industry must self-regulate, digital lenders need to think about the line between the letter of the law and its spirit, we must come together and create a common standard and work together to drive that standard higher.