From Lock-In to Loyalty: Self-Sovereign Identity & Data Portability
Regulatory requirements tend to be viewed as burdens. The data portability provisions in the European Union’s GDPR and open banking regulations, for instance, might seem to force compliance and stunt growth. But business leaders can use the opportunity to rise above their competition by embracing data portability. The key is Self-Sovereign Identity.
Consumer Rights Reinforced
Article 20 of the GDPR defines the new right to data portability. Companies can no longer use the personal data they collect to create customer “lock-in”. An individual has the right to get a copy of that collected data for their own purposes “in a structured, commonly-used and machine-readable format.”
The European Commission introduced a similar data portability scheme when it issued the Revised Directive on Payment Services (PSDR2). It included the concept of “open banking”, which is seen in a variety of initiatives. These provisions require financial institutions to share their customers’ financial data with third parties. As with the GDPR, the individual controls what data they’re willing to share and who they’re willing to share it with.
Complying with the GDPR and PSDR2 has forced industries to develop data-sharing protocols. Microsoft, Google, Facebook, and Twitter launched the Data Transfer Project to “create an open-source, service-to-service data portability platform.” The British financial industry launched the Open Banking Implementation Entity to support the secure transfer of consumer financial data. Many products, including Google, Amazon and Salesforce are using the OpenID Connect protocol to facilitate data organisation. The Application Programming Interfaces (APIs) that these efforts provided, standardised methods to automate data portability. Open banking has gone global, with Australia, Singapore and the US having made great strides.
Portability Means Better Communication
Businesses leverage the API-based approach to improve not just compliance, but performance as well. Consider the all-important function of recognising customers. Often, the product lines of a business fall within internal groups, each with their own information systems. Customer databases are a problem. A customer might sign-up to both a mortgage account and a savings account at a bank. The person would often be treated as two separate customers, forcing a separate sign-up for each account. Both, the customer and staff end up wasting time.
Creating a single, integrated, or “pooled” customer data source across all product groups would solve this problem. That is the idea behind open banking. However, making data pools out of data silos could also risk the violation of consent agreements and data privacy regulations — especially when product groups share information with external partners.
By implementing data portability APIs, each product group will have the systems needed to share customer information with each other and external partners. One challenge still remains — How can consumer consent be ensured?
Self-Sovereign Identity — Data Portability Simplified
Combining a self-sovereign digital identity system with a system of consent receipts is the most effective way to meet that challenge. Self-sovereign identity does not only ensure that a company handles its customers’ personal data correctly, but a company can now recognise its customers no matter what products they buy.
Much of the data businesses collect comes down to a single purpose: to verify their customers’ identities. This enables all other business processes, from service delivery and billing to market research. However, collecting so much personal information damages user experience and increases risks if hacked.
Self-sovereign identity can be used by businesses to minimise the data they collect. Companies do not have to default to gathering large amounts of customer information. Instead, they’re encouraged to minimise data, and only receive what they need.
One option provided by self-sovereign identity is a cryptographic technique called zero-knowledge proofs. With this technology, a company can get a “yes” or “no” answer to determine whether a consumer meets a specific requirement. This can clarify eligibility, and in some cases, the data on an individual can be ascertained without a business having to store, or even see, the information itself.
A company then needs the consumer’s consent to share their personal data. This can come in the form of a record based on the Kantara Initiative’s consent receipt standard. The record defines what information the customer provided and what sharing permissions the customer granted.
Now, each time a customer buys a different product, their identity is verified and linked to the permissions in the consent receipt. The customer’s personal data is shared with the appropriate product group, so that they can seamlessly interact with different businesses or business units. The best service can now be offered. The company as a whole benefits from having a complete picture of their customers’ purchasing histories without incurring the expense of re-architecting its entire information infrastructure. Self-sovereign digital identity systems can revolutionise onboarding.
Self-sovereign identity also revolutionises the experience of a customer when they sign up. The first option of integrating multiple systems into one was developed because signing up to platforms was a tedious process. If a customer only needs to sign up to one database for each platform, or several platforms, onboarding is streamlined. This is not without a heightened risk of breaking data regulations, however. Consent would need to be obtained for every department.
Self-Sovereign Identity offers great customer experiences and lowers the risk of regulatory repercussions. The amount of data that must be portable is minimised and the lengthy sign-up processes are streamlined. No longer is the customer experience riddled with endless questions and form fields. Businesses make their onboarding process easy, and in many cases, ‘typeless’.
Locking customers in through data retention was always a poor business strategy; creating distrust between consumers and companies. With the twin rise of data portability and self-sovereign identity, a new future is fast approaching. By implementing self-sovereign identity systems, businesses will form a stronger, more loyal customer base.
Sphere Identity streamlines the customer onboarding process in a safe and compliant way while also giving individuals their privacy back.
Sign up for updates from Sphere Identity by clicking here.
