Avoka and General Data Protection Regulation (GDPR)

An Avoka Transact Technical Note

As of May 2018, European organizations must comply with the EU General Data Protection Regulation (GDPR), a set of rules designed to put individuals in control of PII data stored by institutions, and create significant liabilities for non-compliance.

The GDPR introduces additional rights to Data Subjects (end-users) for protecting their personal data and describes the responsibilities of Data Processors and Data Controllers in protecting personal data.  Data Controllers are the entity, such as a bank, that determines what personal data is captured and how it is to be used.  Avoka functions as a Data Processor, an entity involved in providing services that process, store or transmit the data on behalf of the Data Controller.

GDPR creates requirements for new classes of services and transactions that Controllers must provide for Data Subjects, such as inquiries into the data that a Controller has stored on a Subject, and requests to delete all or portions of the Subject record.

Avoka Transact is a platform for customer engagement, specialized in managing complex customer transactions.   

GDPR puts complex burdens on the Customer Experience (CX), requiring a dedicated engagement system to handle the new requirements for consent, access rights, and identity verification to ensure compliance.   Avoka Transact is uniquely suited to help institutions rapidly develop, deploy and adapt those customer experiences as demands evolve.

GDPR Details

Some of the key GDPR Articles that affect data controllers are:-

An important GDPR concept is Privacy by Design, implying that there be a single repository of protected information rather than disparate stores. This puts emphasis on pre-fill and data integration with back office systems.

Use of Avoka Transact for GDPR

Derived from these articles will be requirements to validate customer identity, capture and record consent, track the source of customer data throughout its lifecycle, integrate with a master data store, and make the CX accessible through multiple digital and traditional channels.   Avoka Transact is ideally suited to the development of all of these capabilities.

For example:

  • Transact can assist our Data Controllers to rapidly develop and deploy new form sections that include the ability to explain the intended use of data and customer rights, as well as capture end user consent. Form logic can assist with applying decisions, based on data entered – eg date of birth to check people under 16 do not apply without consent.
  • GDPR unique service requests, such as giving customers the ability to lodge requests and exercise their rights can be easily developed to allow customers.
  • Avoka Transact is a store and forward service, rather than the final system of record for customer data, and can be linked to the centralized data store to feed and retrieve data. Because it does not create a permanent repository for collected data but rather integrates with an existing system of record, Transact fits well into the GDPR Privacy by Design Concept.
  • Transacts data retention and automatic purging policies can be adjusted and monitored to assure that data is only retained for the minimum duration needed and is purged afterward.
  • Data Controllers can use the management console to retrieve or delete records of in-flight transactions (if they haven’t already been purged) and end users can use the “save-resume” features on forms to ensure the initial data entered is correct.
Speed to Market & Agility

GDPR creates a long list of new requirements that push the cost and risk of “development from scratch” beyond the reach of financial institutions.

Avoka has a demonstrated record of creating similar systems for KYC and Customer Due Diligence, and for other complex onboarding processes on very short schedules.  Using the Avoka Transact platform as a base system that would require 12-18 months to build internally can be created in as little as three months.

This also places critical importance on Agility.  With the new and complex regulation, there will be a steady stream of changes required in any institution.  The ability to rapidly adapt, quickly introduce new features, modify the CX and address variations across products and geographies is a demonstrated Avoka strength.

Additional Resources