Advertise with BNC

From lock-in to loyalty: Self-Sovereign Identity & Data Portability

Regulatory requirements like open banking rules and the data portability provisions in the European Union’s GDPR tend to be viewed as burdens - forcing compliance expense and stunting growth. But business leaders can use the opportunity to rise above their competition by embracing data portability. The key is ‘Self-Sovereign’ Identity.

Article 20 of the GDPR defines the new right to data portability. Companies can no longer use the personal data they collect to create customer ‘lock-in’ (the scenario where customers are dependent on a specific service provider as the cost and inconvenience involved in moving to a new supplier is not worth the effort). Under Article 20 an individual has the right to get a copy of that collected data for their own purposes “in a structured, commonly-used and machine-readable format.”

The European Commission introduced a similar data portability scheme when it issued the Revised Directive on Payment Services (PSDR2). It included the concept of “open banking”, which is seen in a variety of initiatives. These provisions require financial institutions to share their customers’ financial data with third parties. As with the GDPR, the individual controls what data they’re willing to share and who they’re willing to share it with.

Complying with the GDPR and PSDR2 has forced businesses to develop data-sharing protocols. Microsoft, Google, Facebook, and Twitter launched the Data Transfer Project to “create an open-source, service-to-service data portability platform.” The British financial industry launched the Open Banking Implementation Entity to support the secure transfer of consumer financial data.

Many products, including Google, Amazon and Salesforce are using the OpenID Connect protocol to facilitate data organisation. The Application Programming Interfaces (APIs) that these efforts provided, standardized methods to automate data portability. Open banking has gone global, with Australia, Singapore and the US having made great strides.

Portability means better communication

Businesses leverage the API-based approach to improve not just compliance, but performance as well. Consider the all-important function of recognizing customers. Often, the product lines of a business fall within internal groups, each with their own information systems.

Customer databases are a problem. A customer might sign-up to both a mortgage account and a savings account at a bank. The person would often be treated as two separate customers, forcing a separate sign-up for each account. Both, the customer and staff end up wasting time.

Creating a single, integrated, or ‘pooled’ customer data source across all product groups would solve this problem. That is the idea behind open banking. There is a catch, however, as making data pools out of data silos could also risk the violation of consent agreements and data privacy regulations — especially when product groups share information with external partners.

By implementing data portability APIs, each product group will have the systems needed to share customer information with each other and external partners. One challenge still remains — how can consumer consent be ensured? The answer is ‘Self Sovereign Identity’

Self-Sovereign Identity — data portability simplified

Combining a self-sovereign digital identity system with a system of consent receipts is the most effective way to meet that challenge. Self-sovereign identity not only ensures that a company handles its customers’ personal data correctly, but also that a company can now recognise its customers no matter what products they buy.

Much of the data businesses collect is gathered for a single purpose – to verify their customers’ identities. This enables all other business processes, from service delivery and billing to market research. However, collecting so much personal information damages user experience and increases risks to the business if its systems are hacked.

Self-sovereign identity can be used by businesses to minimise the data they collect. Companies do not have to default to gathering large amounts of customer information. Instead, they’re encouraged to minimise data, and only receive what they need.

One option provided by self-sovereign identity is a cryptographic technique called zero-knowledge proofs. With this technology, a company can get a ‘yes’ or ‘no’ answer to determine whether a consumer meets a specific requirement. This can clarify eligibility, and in some cases, the data on an individual can be ascertained without a business having to store, or even see, the information itself.

A company then needs the consumer’s consent to share their personal data. This can come in the form of a record based on the Kantara Initiative’s consent receipt standard. The record defines what information the customer provided and what sharing permissions the customer granted.

Now, each time a customer buys a different product, their identity is verified and linked to the permissions in the consent receipt. The customer’s personal data is shared with the appropriate product group, so that they can seamlessly interact with different businesses or business units. The best service can now be offered.

The company as a whole benefits from having a complete picture of their customers’ purchasing histories without incurring the expense of re-architecting its entire information infrastructure. Self-sovereign digital identity systems can revolutionize onboarding.

Self-sovereign identity solutions like those provided by Sphere Identity also revolutionize the experience of a customer when they sign up. The first option of integrating multiple systems into one was developed because signing up to platforms was a tedious process.

If a customer only needs to sign up to one database for each platform, or several platforms, onboarding is streamlined. This is not without a heightened risk of breaking data regulations, however. Consent would need to be obtained for every department.

Locking customers in through data retention was always a poor business strategy; creating distrust between consumers and companies. With the twin rise of data portability and self-sovereign identity, a new future is fast approaching. By implementing self-sovereign identity systems, businesses will form a stronger, more loyal customer base.

Editorial Disclosure: Brave New Coin’s parent company, Techemy Limited, is a shareholder in Sphere Identity.


BNC AdvertisingPlanning your 2024 crypto-media spend? Brave New Coin’s combined website, podcast, newsletters and YouTube channel deliver over 500,000 brand impressions a month to engaged crypto fans worldwide.
Don’t miss out – Find out more today

Advertise with BNC
Advertise with BNC
BNC Newsletters: A weekly digest of the most important news and analysis.
Advertise with BNC
Submit an event on
Latest Insights More
Advertise with BNC