Personal Data Protection: How compliant are your customer and employee onboarding?
Onboarding is one of the first touchpoints in a customer’s or employee’s journey. It marks the beginning of a relationship. Most companies pour a lot of thought into designing the individual interactions through which customers and employees form their initial view of the business.
We believe that onboarding is in need of an urgent rethink for two reasons. First, the ongoing COVID-19 pandemic has accelerated the transition from physical, paper-based processes to online, digital-by-default processes. Second, in a few months from now, the forthcoming data protection legislation will likely regulate the acquisition, processing and handling of personal data—both customer and employee data enter a company’s data pipeline through the onboarding funnel.
Though we consider customer and employee onboarding in separate sections of this article, we are covering the two seemingly disparate topics together because companies—specifically B2C companies—will also have to deal with them simultaneously.
The term 'customer onboarding' denotes a series of interactions that start with a new sign-up and continue deep into the customer lifecycle. KYC is one such interaction through which companies ingest troves of customer-related data. KYC is a regulatory mandate in industries like banking, insurance, and telecom.
If we quickly trace the evolution of KYC in the Indian banking sector, the RBI first directed financial institutions to obtain a legitimate proof of identity and proof of address from customers following the Prevention of Money-Laundering Act in 2002. By the end of 2005, banks were fully KYC compliant. Thereafter, the regulatory guidelines underwent periodic revisions and banks complied. In 2017, the RBI briefly made the Aadhaar-Bank Account linkage mandatory till the Supreme Court intervened and ruled to the contrary. Over the years, the regulator and FIs have worked hard to attune KYC to more customer-friendly processes. Today, options range from paper-based in-person verification and Aadhaar-based eKYC to the more recent video-based customer identification process. Following RBI's lead, sectoral regulators like the SEBI and IRDAI have also approved video-based customer identification.
It appears that FIs have managed to strike a balance between meeting KYC/AML regulations and using advanced technology to enhance customer experience. We are not sure if the balance will still hold good when the PDP Bill comes into law and FIs have an additional obligation to uphold the privacy rights of customers.
Put differently, it will not be easy for FIs to reconcile existing (KYC/AML) and new (PDP) regulations—video-based customer identification is a great case in point.
The amended KYC guidelines require regulated entities to store a video recording of the live interaction between the customer and KYC-representative and determine the customer's real-time location using geotagging technology. Most FIs currently use third-party facial recognition technology to obtain a match between the face in a video or live interaction and the face on an officially valid document.
According to the PDP Bill, the data captured by facial recognition technology constitutes 'biometric data' and is to be treated as 'sensitive personal data'. Read together, and translated to PDP-speak, in order to offer video-based customer identification, an FI (significant data fiduciary) may have to trust a third-party service provider (data processor) with facial images (sensitive personal data) of customers and then store the 'sensitive personal data' in perpetuity.
Though it may not be easy for FIs to reconcile existing (KYC/AML) and new (PDP) regulations, fortunately, the RBI has previously recognised that the use of consent might not be the strongest defence against privacy violations in light of the forthcoming data protection legislation and has called for a shift from a traditional consent-based approach to a rights-based approach when dealing with personal and financial data.
Employee onboarding refers to a set of processes designed to integrate a new hire into the company. Just as customer onboarding is often confused with new sign-ups, employee onboarding is often confused with orientation—the onboarding process continues well past an employee’s first day at work.
While some companies have access to dedicated onboarding portals, most companies still onboard new hires using a combination of phone calls, emails and physical documentation. As HR teams across companies start thinking about making the new hire onboarding process PDP compliant, and aligning existing employee records with PDP standards, here are some important considerations:
- Processors: Employers will have to disclose if they have engaged a third-party data processor for a part or the entirety of the onboarding process
- Communication: Employers will have to inform new hires what data is being collected, why is it being collected (read, purpose limitation), who will have access to it, and for how long (read, storage limitation) through detailed privacy notices
- Consent: Employers will have to obtain consent from new hires not just for data collection but also the subsequent data processing activities; barring a few scenarios, PDP allows for the withdrawal of consent
- Minimisation: Even after obtaining consent, employers will only be able to solicit the least amount of personal data from new hires for documentation or other stated purposes
- Access: PDP will allow employees complete access to any personal data their employer may have obtained consent to retain at the time of onboarding
- Editing and erasure: Further, PDP will also allow employees to request the modification or erasure of any personal data they may have submitted at the time of onboarding—employers will have to meet such requests in a time-bound manner
- Portability: Under PDP, employees will be able to request a copy of their personal data and the processor (onboarding provider) or employer will have to provide it free-of-charge, in a time-bound manner and suitable format
- Storage: Employers will have to be mindful of the consented retention period and data category when storing data—there are territorial constraints on the storage and processing of certain categories of personal data
Whether it is a customer-facing context or employee-facing context, companies will inevitably engage third-party onboarding service providers such as online identity verification platforms. Having good partners who understand the stakes and prepare the ground for regulatory scrutiny will go a long way on the road to PDP compliance.
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)