Data privacy in digital payments: Navigating regulatory compliance and consumer expectations
23 / 04 / 2024
Digital payments are going through the roof, slowly transforming the country into a less cash economy. However, one area that requires additional focus to make the country’s digital economy efficient and resilient – is data privacy.
The rise of digital payments in India is a tale to tell. As we move aggressively towards becoming a $5 trillion economy, means of digital transactions like UPI continue to enable financial inclusion. A whopping 12.02 billion UPI transactions happened in India in December 2023. Nearly 59% of these transactions were Person-to-Merchant (P2M). This is without adding digital wallets and other means of online payments.
With businesses and transactions moving online, there’s a greater risk of sensitive data, including customers’ private details, falling into the wrong hands. The onus is on business owners to take measures to safeguard the data privacy of their customers.
Digital payment security risks and cyber threats
India’s digital payment framework, businesses, and customers face many digital security risks and threats, including phishing scams and identity theft. Notorious hackers often use malware to siphon off funds or steal sensitive data. Stealing funds or data through phishing remains a million-dollar industry in the country and a billion-dollar industry worldwide. An astronomical Rs. 5,574 crore was lost to online frauds in 2023 alone. On top of that, a lack of public awareness about security practices makes the job easier for hackers. Ill practices like using unprotected public Wi-Fi and not using 2FA (two-factor authentication) continue to trouble users and lawmakers.
But above all these risks is the risk of identity theft and misuse of sensitive data. It is to protect against the misuse of users’ sensitive data and keep a check on those gaining access to it, that the Indian government passed the Digital Personal Data Protection (DPDP) Act, 2023.
Digital Personal Data Protection Act, 2023: A stepping stone
The 2023 act, while allowing the use of personal data for any lawful purpose (after the user’s consent), states that the data collected has to be limited to that necessary for the specified purpose. It also provides individuals with the authority to withdraw their consent.
However, the DPDP Act is just a stepping stone on the journey to a secure digital economy. The biggest challenge is to educate users about data safety practices and make them realize the importance of sensitive data. Also, all this has to be done while encouraging innovation and offering a favourable environment to businesses.
Customer attitude towards data privacy
According to a 2018 survey, nearly 79% of respondents were not comfortable with the selling of their data to third parties. But before the DPDP Act, they had no means to stop the misuse of their data. As a defence mechanism, a significant share of users started filling out fake details (e-mail, contact numbers, etc) to prevent data misuse.
However, it is important to note that only 50% of the country’s population uses the internet. Once the internet penetration level rises, first-time users may not have the same level of awareness. Thus a law like the DPDP Act can only do something when the end user is aware of the problem’s magnitude.
In a county where only 23% of users reach T&C (terms and conditions) before giving consent to use their sensitive data, a lot needs to be done at the local level to minimize, if not eliminate data misuse.
The road ahead: Taking merchants on board
Customers are only one part of the digital economy. Two other key stakeholders are businesses and payment merchants. The best way to reach the masses is to organize webinars, seminars, and discussions in collaboration with these stakeholders to increase awareness about data security and online financial fraud risks and set consumer expectations about data privacy.
The government must collaborate with the stakeholders to ensure data mapping, and classifying different types of information based on sensitivity levels. Businesses must communicate their data privacy policies and guidelines to merchants and the same should be conveyed to end users as well. Comprehensive guidelines and financial regulations should be issued by the concerned entities to ensure regulatory compliance with the data protection rules.
The stakeholders should also invest in data protection tools and carry out regular security audits to eliminate loopholes. Finally, there must be incentives for complying with the data protection rules to encourage increased participation. Data is at the core of the digital economy and hence, it is the most valuable asset for individuals as well as governments. A comprehensive approach is the need of the hour to ensure a seamless transition into the digital era.