Effect of Data Minimization on Small Businesses
The onset of data minimization will have a great effect on small businesses
which rely on API’s to record and credit recurrent payments to the accounts
of their customers. An example is an estate agency which collects rent
through a till number and an API credits payments to rent accounts based on
the phone number. With the current masking on the number i.e. +2547xxxxx015
or the default +254700000000, the API will no longer know where to credit
the rent received via till. Another example is the Naivas Supermarket
Loyalty program which rewards loyalty points automatically to a customer
who pays for shopping via Lipa na MPESA. Going forward, this will not be
possible.
Not sure whether there is any workaround around this problem. I personally
think the data minimization should apply to generated till statements and
not to information shared at an API level since this affects how some
systems work. Or there should be a provision where businesses commit not to
share data collected through payments with third parties under any
circumstances.
At the very least, data minimization should happen at the person to person
level where MPESA allows me to know your three names just because I sent
you money.
Please share your thoughts.
Best Regards,
——————————–
*Nick Ngatia*
Email <[email protected]> *|* Facebook
<www.facebook.com/niccoswagg1> *|* *Twitter
<www.linkedin.com/in/nick-ngatia-a6b06a7b?trk=nav_responsive_tab_profile_pic>
*
*Skype:* *nick.ngatia** |* *Phone:* *+25**4 (0) 711 42 2015*
*”Development Towards Sustainability is far too more important to leave it
to chance.”*
———————————
On 04/06/2024 17.42, Twahir Hussein Kassim via KICTANet wrote:
Loyalty cards with bar codes or QR codes would not cause a huge delay.
How can one enforce compliance? What will be the resulting increase in
administration costs? Will businesses be able to obtain data breach
insurance to compensate those affected by data breaches?
One can use a hash function (
en.wikipedia.org/wiki/Hash_function ) to mask the telephone
number. One would probably want to update the API to offer the
possibility of adding a transaction reference number. Probably it would
be easiest for such APIs to be openly developed, allowing easy
incorporation of feedback. If only the telephone number is used, what
happens when one changes telephone number or one has several telephone
numbers that are used for mobile money? What happens if one uses an
alternate money transfer mechanism such as bank transfer?
For those that want to enroll in loyalty point programs, issuing a tag
with a barcode/QR code or other similar marker that can be quickly
scanned and can be attached to a keychain should work and be easy to
process.
Businesses may also be subject to data breaches even if there is a
decision not to intentionally share data with third parties. Unlike
banks where misuse of computer systems to transfer money is traceable,
unauthorized data transfers are much more difficult to detect.