The effective management of vulnerable customers is an absolute must, not only as a regulatory expectation but also because it is socially responsible and good business practice.
However, firms need to be mindful that by so doing, they do not, through lax data protection controls, inadvertently increase this level of vulnerability to unprecedented levels.
Over the last five years, we have seen regulatory interest move into the softer side of compliance, with financial services firms, in particular, being asked to look at how they manage vulnerable customers.
Who are vulnerable individuals?
We have all seen examples in the press, where an elderly or infirm person has money extorted from them by rogue builders, abusive relatives or carers, and the pitiful financial situation that such activity can leave people in.
With this in mind, companies have been encouraged to identify those customers who are more vulnerable than others, but the ICO provides a very broad definition, not just limited to children, the elderly and those with disabilities.
"Individuals can be vulnerable where circumstances may restrict their ability to freely consent or object to the processing of their personal data, or to understand its implications."
One group often forgotten are employees, as the balance of power means that they may not feel that they object to the collection and processing of very personal information. The Covid-19 pandemic is bringing this issue to the forefront for both customers and employees alike.
This means that the category and level of data that a company holds on a data subject may far exceed its original expectations. It could reach deeper into the personal life of that individual than the company had established data storage and retention controls for.
Particularly if these data subjects are also classified as vulnerable adults. If they are then procedures need to be put in place to manage these relationships more effectively.
Risks of collecting & processing vulnerable adults data
Now you are thinking, where will we store this information? How will we protect it? Who will be able to access it? When should we delete it?
These are questions to be answered through a Data Protection Impact Assessment (DPIA).
"Processing the data of individuals who may be deemed vulnerable is one of the criteria in European guidelines for processing likely to result in high risk. If you think your processing will involve vulnerable individuals, then a DPIA will be required should any of the other criteria, or operations on our list, be engaged"
Further, the more information that is collected on an individual, especially of the nature that we are talking about here, the more chance there will be that mistakes will be made.
Data may be recorded incorrectly and rectification notices issued by the data subject, or restrictions issued relating to how this data can be processed by the firm and ultimately rights to be deleted exercised. And the more places that data is stored, the bigger the burden on the data controller to identify them and delete them.
If a firm is required to identify and store details of its vulnerable customers, then such a 'list' or 'database' would become a very valuable commodity to the criminal fraternity, almost a shopping list of who’s who in a world of potential victims.
This opens up distinct possibilities of increased cyber-attacks, external fraud and collusive fraud, and even bribery, with a firm’s staff being targeted by criminals and bribed to supply details of, or access to the 'lists' or 'databases'.
Want to learn more about GDPR?
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.