Eight out of ten banks do not inform users about their personally identifiable information (PII) like account number, PAN and Aadhaar number being collected in their privacy policy, highlighted a report on Digital Personal Data Protection (DPDPA) Compliance and Indian Banks by IDfy.
The report indicates the need for data minimisation since while some banks collected the employer’s name, work email ID, religion, and caste to open a bank account, others did not.
Education loans are another avenue where an individual’s PII is vulnerable, as 75 per cent of the PII data collected during the educational loan process was found to be sensitive PII data.
The report also highlights that nine out of ten banks did not have a cookie consent banner and a mere seven per cent of the cookies found were actually ‘necessary’. The report was created after analysing more than 25 digital journeys of the top ten banks in India.
Moreover, the report delineates the obscurity of the banks’ cookie collection practices. None of the banks collected parental consent while processing a minor’s data. The report brings to the forefront the practice of banks asking for needless information like employee designation for home loans or marital and spouse details for personal loans, which are not integral to credit underwriting.
Ashok Hariharan, chief executive officer (CEO) and cofounder, IDfy, said, "The phrase ‘Data is the new oil’, is an old adage. Responsible use of PII is required if companies are interested in keeping their customers' trust, and we, as brands, need to relook at how, and for what purpose we are using customers’ data. Business models have to change in order for brands to now build trust in the new DPDP world. As custodians of sensitive customer information, banks play a crucial role in espousing data privacy standards.”
The report aims to uphold the necessity of the data protection act and urge organisations to partake in a privacy-centric future.