Mumbai: VFS Global, which processes about five million visa applications from Indian citizens annually, has its work cut out with the country insisting that its residents’ personal data should be processed and stored on local servers. In a recent interview, Barry Cook, privacy and group data protection officer at VFS Global, explained how the organization is approaching the issue, and also shared his views on leveraging artificial intelligence (AI) to make visa processing more efficient. Edited excerpts:
How has the European Union’s General Data Protection Regulation (GDPR) impacted how you handle personal data?
It starts very early on, from the time when a person comes to our website looking for information about visa and travel anywhere. We have to make sure that the website is compliant—taking care of simple things like cookies, or the small files placed on the computer from the browser session. In certain countries, we have to seek permission to put those files . Also if we are using any analytics, like Google Analytics, we have to make the individual aware that we are doing so, and allow the to not accept it.
So we have to have a privacy notice which declares what we are doing with the data, which includes who is responsible for processing it—how long that data is retained, to whom it may be passed on, which countries are involved and how to make a complaint. The rights of the individual are also outlined. We take the highest standard as our base line. Currently that standard is GDPR. We do this because it is obviously fair for the applicants but also from my aspect of managing data protection across 130-odd countries with over 2,500 visa application centres.
What’s the impact of data localization?
Data localization can hit us hard—it means you have to consider relocating servers from various countries into India. Or it may actually be a less impactful approach, depending its definition, which is that the serving copy must be held in India. That’s actually a very loose expression. Does that mean the primary copy of data or is it the secondary copy of data? It’s obviously something we are tracking very closely and we are working on contingency plans, based on the different scenarios that could evolve.
How is your AI bot Viva helping you in visa processing?
Viva is one of our first forays into AI. And it provides a very fast response for visa applicants (can currently handle 10,000 enquiries per second 24x7, or 864 million in a day) as opposed to phoning a call centre and waiting a few minutes to get an answer. As of now, it’s just a text chat bot. Voice is the next step but it’s a complex one.
What steps are you are taking to reduce the bias in AI?
We adopt the concept of privacy by design and default. What that means is wherever there is a decision to be made by the algorithm, we look at the outcomes of that decision and choose the default one—the one that preserves the privacy of the individual.
As a group data protection officer, what data trends are you seeing?
Over the last year, there have been approximately 100 new laws. GDPR accounted for roughly 25 of the 100 laws, so the figure is a bit skewed. But even if we say 75 laws have been passed in the last year, it is still a huge number. GDPR has pushed data privacy onto the agenda for a lot of countries. So, governments are now reacting to this and passing data protection laws. It is putting the ownership of data back in the hands of the individual, which is where it should be anyway.