VFS Global collects sensitive data from visa applicants. Source: Shutterstock

VFS Global collects sensitive data from visa applicants. Source: Shutterstock

Why 60+ governments trust VFS Global with visa applicants’ data

MOST FOREIGN embassies outsource the non-judgmental aspects of the visa application process – this is so their staff can be relieved of the administrative burden of the process and focus instead only on the critical task of decision-making, i.e, to grant a visa or not.

So, when an Indian citizen wants to travel to Malaysia or France, for example, they visit a designated VFS Global visa application center to submit the visa form with required documents and if part of the process, they enroll their biometrics in a secure environment.

Each of these applications contains sensitive data, such as one’s personal identity document through to their financial status and medical history.

Client governments put their trust in visa application providers, such as VFS Global, who must adhere to the strict rules that govern the capture, usage, and storage of data, which exist in some parts of the world, such as the European Union.

“We work for over 60 client governments and operate in 147 countries globally and have in excess of 3,000 visa application centers in 513 cities. Through these, we accept more than 25 million visa applications each year,” said VFS Global’s Privacy & Group Data Protection Officer, Barry Cook, in an exclusive interview with Tech Wire Asia.

Cook acknowledges that a lot of information that VFS Global collects is sensitive and requires their utmost care.

“We are trusted with data including fingerprints and other biometric data that has an enormous value if monetized – which is why we are incredibly careful that it never gets in the wrong hands.”

VFS Global not only understands the value of the data but is mindful of the risks associated with its storage.

“We don’t retain information because it is too much of a liability. As soon as we’ve collected information in paper format, we pass it onto a diplomatic mission for processing and if the information is collected electronically we delete it from our system as per the timelines specified by our client governments.

“Biometric information, on the other hand, is collected and passed instantaneously to the local diplomatic mission”.

Adopting this approach is something which Cook believes greatly reduces the risk to the individual applicant, and to the company.

Understanding the mechanics of trust

Cook is a thought leader in the data privacy world, and has worked across a range of industries – from aviation, banking, through pharma. He is very well versed with the meaning of data privacy and its relationship with trust, and, since joining VFS Global in 2017 has led the organization’s data privacy and compliance efforts.

“My role is to ensure we maintain compliance, across the board. The baseline I currently use is the EU’s GDPR, as it’s the highest standard globally and, in most cases, the most comprehensive.

“We’ve adopted the principles and requirements of the GDPR into our corporate policy in the past two years, it’s now embedded into our corporate function and cascades into our operations quite seamlessly.

Operating in a small, globally present team, Cook leverages dedicated technology powered privacy tools to not only keep an eye on amendments to data privacy laws but also ensure effective compliance across the organization.

“It’s not a checkbox exercise”, Cook tells me, when I ask about the importance of compliance across markets. “it’s an incredibly critical task — and given the space in which we operate, it can make or break our business”.

“Instead of following a tickbox compliance method, I use a best-in-class model because it actually makes a difference to our bottom line. The work we put into our data privacy and compliance function is a unique selling point and a brand differentiator for our clients.”

The EU’s GDPR is the “gold standard”, according to Cook, but it’s not the only set of regulation that the company adheres to.

For example, in Russia, local legislations require that companies store all data in local servers – a requirement termed data localization – and, as part of their contract of operation, VFS Global complies with this law.

“We’re in the trust business. By demonstration that we’ve high standards in privacy and data compliance. we can give our customers a very strong level of confidence that it’s safe for us to handle their sensitive data”, Cook said.

Practical advice for data protection officers

Data privacy is serious business in this day and age.

Organizations that fail to understand its significance will not last very long in a world where customer interest in data privacy is piquing, and where questions are being asked about trust, and how data should be shared, stored, and exchanged.

Although the EU’s GDPR has mandated Data Protection Officer’s (DPO) roles for many organizations, not many organizations understand compliance or its benefits.

As a result, DPOs & Privacy Professionals are having to fight internal boardroom battles across their compliance initiatives.

“We’re in a new world”, according to Cook, and “it’s important that Privacy Professionals can connect with staff across all departments of their organization”.

He suggests that DPOs & privacy professionals do the following to yield better results in their every day workflow:

# 1 | Talk to the senior leadership team in a language they understand

In short, DPOs should stop talking about just the need for compliance or the letter of the law. Instead, they need to discuss metrics and KPIs when talking about data protection.

“Talk the language of the board and develop metrics that show how successful privacy initiatives work and what they can achieve. Be able to demonstrate what good looks like”, advises Cook.

This is incredible advice, especially for new DPOs who have recently moved to the world of data protection and compliance from an allied field.

# 2 | “Forget what can’t be done”

“If you always say no, nobody in the boardroom is going to ask you for your opinion or advice. If you do have to say no, always ensure you provide an alternative — because there is one. That way, data privacy becomes an enabler instead of a hindrance,” Cook added.

DPOs often get entangled in the letter of the law and forget about the possibilities.

However, if they expect to have the support for their initiatives and drive the organization towards better compliance and control over data, the DPO needs to think outside the box and help the business move towards its goals — without neglecting compliance requirements.