The consequences of not getting up to speed on data security can be crippling for a small business, both financially and from a customer retention perspective.
It can be hard to know where to start navigating the waters of Know Your Customer (KYC) and Anti-Money Laundering (AML) checks when it comes to data privacy. But it is essential to get the basics right.
Data protection legislation is principles-based and so gives you some autonomy in terms of being able to make decisions about how exactly you manage information best. This allows organisations of all different shapes and sizes to operate within the law and do the best thing for their customers without running to unnecessary expense or additional resources.
How do you collect your data?
It’s all too easy to just think about consent when you consider data privacy.
A lot of checks are conducted to comply with specific AML legislation and this processing is necessary. What’s important to bear in mind – particularly in a GDPR context – is that those legal obligations apply, or pertain only to EU or member state law, or in the UK context to UK law.
KYC checks are conducted in the interests of protecting your organisation and should demonstrate that those interests are sufficient relative to the risk of intrusion. This means you should conduct an assessment to demonstrate to any regulator that you’ve given due care and attention, talked about the risks and put adequate measures in place. Not being able to demonstrate this makes you much less likely to be able to meet your obligations.
Are you minimising the data you collect and keep?
We hear reports of people doing KYC checks involving social media scraping in order to make an evaluation about their customers’ perceived wealth and assets. But it’s not within the purview of an organisation to go around hoovering up people’s social media feeds. This is not proportionate processing for the types of checks that are taking place. Seeing whether someone’s got an extra fancy car, or is taking lots of holidays, in order to question the source of their income, is not ok.
How much information do you need to collect and what information do you need to record and keep? If you’re working with a third party, what information does that third party report back to you? And what information do you need in order to form a judgement about someone? Are you asking them to report that they’ve passed a credit check or are you asking for a detailed 35-page Experian report? It’s important to stay on the right side of minimisation by collecting only the information that’s necessary to fulfil the purpose of confirming the checks.
It can be tempting to use a blanket approach to evidence collection but this is a risky strategy. Instead, tailor your approach according to the risk that applies, not just from a data protection perspective but also from a generalised AML perspective.
The two things go hand in hand. Doing the right thing in terms of your organisational process should end up with you doing the right thing from a data protection perspective. Acting responsibly with regard to people’s information is just an extension of acting responsibly around your interactions with them. You build trust by acting appropriately and – crucially – you lose trust by failing to do this.
If you ask a customer for a copy of their passport are you currently asking for an unredacted copy of their passport? Or are you simply verifying their identity and then redacting the record that you keep? What you really need is a record that you have verified their identity. There are plenty of high-end technological ways of redacting evidence but a thick black pen or a scanned photocopy with pieces cut out works just as well. Holding on to the original evidence can leave the data wide open to misuse, and leave you open to breaches.