This article supports Deep Dive A: GDPR, Vulnerability and Data Protection Practice, the extra deep-dive hours attached to our CPD Event A: Full-Day Regulatory Privacy Training programme on XpertAcademy. Event A provides the seven-hour CPD programme; the Deep Dive material is there for organisations and learners who want to go one level deeper through practical exercises and real-world GDPR, vulnerability and fairness scenarios. Completion and certification are tied to the relevant XpertAcademy learning activity, rather than to reading this article on its own.
Digital-first service design can be efficient, secure and easier to evidence. It can also create a dead end for people who cannot use the standard route.
The data protection issue is not that every organisation must offer every possible channel forever. The issue is whether the controller has considered how digital journeys, authentication controls, identity checks, payment processes and staff scripts affect people who need support. A process that works well for most users may still create unfairness, exclusion or repeated burden for foreseeable groups.
For Deep Dive A, this is where GDPR becomes practical. Fairness and transparency are not satisfied by a privacy notice sitting beside an unusable process. Accountability is not satisfied by saying "the system requires it" when nobody has assessed what happens when the system fails the person.
Digital-first is not the same as fair by default
Digital-first journeys often rest on sensible goals: reduce fraud, improve security, lower cost, speed up service, strengthen audit trails and reduce uncontrolled email handling. Those goals matter. A weaker process can also harm people, especially where identity theft, account takeover or payment fraud are real risks.
The problem comes when the standard journey becomes the only journey.
People may be excluded because they do not have private internet access, cannot receive SMS codes, use assistive technology that the portal does not support, cannot pass a biometric check, do not have current identity documents, rely on a carer or advocate, have fluctuating capacity, are in an abusive household, cannot use a smartphone, or are trying to resolve an urgent payment issue under stress.
Those are not edge cases in many essential services. They are predictable service-design facts.
GDPR does not prescribe a customer service channel list. It does require controllers to process personal data fairly, transparently, securely and accountably. Where a digital process determines whether a person can access service, make a payment, update details, complain or exercise rights, the privacy team should ask whether the route is fair in practice.
Authentication friction as a privacy risk
Authentication is often treated as a security control only. For privacy teams, it is also a fairness and access issue.
Strong authentication protects accounts and personal data. But authentication controls can become disproportionate or unusable when there is no alternative route. A person who cannot receive an SMS code may be unable to pay. A person who fails automated identity verification may be unable to correct data. A person whose account is controlled by someone else may be forced back into an unsafe channel.
The correct response is not to weaken security casually. It is to design controlled exceptions.
An authentication exception process should define:
- when the standard method may be bypassed or supplemented;
- what alternative evidence is acceptable;
- who can approve the exception;
- what staff may disclose before identity is confirmed;
- how the exception is logged;
- when the exception expires or is reviewed;
- how suspected coercion, fraud or safeguarding concerns are escalated.
That gives staff a route between two bad options: refusing help because the script fails, or disclosing personal data because they feel sorry for the caller.
Worked scenario: payment blocked by the standard route
Assume an organisation provides an essential subscription service. It has moved payments into an online account area. Customers log in, pass multi-factor authentication, add a card, and receive automated receipts. The organisation wants to reduce card data exposure and keep payment handling within its compliant payment service provider environment.
The policy says staff must not take card details by email or record them in notes. That is sensible. But over time, the staff script becomes broader: "For PCI reasons, we cannot take a payment any other way. You must use the portal."
A customer calls because their service is at risk of suspension. They cannot use the portal because the SMS code goes to a phone they no longer control. They do not have internet access that day. They ask whether their support worker can help make a payment over the phone or whether there is another route. The call handler repeats the portal requirement and warns that service suspension will continue unless payment is made online.
The organisation believes it has reduced payment risk. It may also have created a different risk:
- the customer cannot access the standard route;
- the alternative route is unclear or unavailable;
- staff have converted a card security rule into a blanket refusal;
- the payment barrier may lead to loss of service;
- the customer may disclose unnecessary personal circumstances to persuade staff to help;
- the organisation has no record of why the alternative route was refused.
This is not an argument for taking card numbers insecurely. It is an argument for designing a secure alternative route before the crisis call happens.
PCI DSS should not be over-read
PCI DSS is a payment account data security standard. It provides technical and operational requirements designed to protect payment account data. It is not, by itself, a complete answer to every fairness, accessibility or support-needs question.
Organisations should take card security seriously. Staff should not ask customers to email card details, write them into case notes, read them into uncontrolled recordings, store them in spreadsheets, or route payment data through systems outside the intended payment environment. Those are real risks.
But "PCI says no" is often an over-read when used to shut down all alternative routes. A better question is:
What alternative payment route keeps card data protected while allowing people who cannot use the standard digital journey to pay or get support?
Possible answers will depend on the organisation and its payment architecture. They may include a secure telephone payment system, a payment link, a call transfer into an approved payment provider environment, a recurring payment mandate with proper controls, an assisted digital route, a branch or in-person option, a trusted representative process, or a non-card payment method. Each option needs security, fraud and privacy review.
The point is not that one route is always required. The point is that the organisation should make a documented design choice, not leave frontline staff to improvise under a misunderstood compliance banner.
Alternative routes need controls
Alternative routes are sometimes treated as informal exceptions. That is risky. If an alternative route exists, it should have the same level of governance as the main route, adjusted for the context.
A controlled alternative route should answer:
| Question | Why it matters |
|---|---|
| Who can use the route? | Prevents inconsistent treatment and reduces arbitrary staff judgement. |
| What personal data is collected? | Supports minimisation and purpose limitation. |
| How is identity checked? | Protects the individual and the account without creating unnecessary barriers. |
| How are payments handled? | Keeps payment account data within approved systems and avoids staff note-taking risks. |
| How are support persons handled? | Allows carers, advocates or authorised helpers to assist without uncontrolled disclosure. |
| What is recorded? | Creates evidence without excessive sensitive narratives. |
| Who can approve exceptions? | Keeps risk decisions accountable. |
| How is the route reviewed? | Identifies patterns of exclusion, fraud, complaint or staff confusion. |
If the alternative route is invisible, it may as well not exist. Staff need scripts. Customers need accessible signposting. Privacy teams need evidence that the route does not become a side channel where sensitive information is mishandled.
Staff scripts are a control
Staff scripts are often overlooked in privacy reviews. They are part of the control environment.
The wrong script says:
"GDPR means I cannot speak to your carer."
"PCI means we can only take payment online."
"The system will not let me do that."
"You need to upload medical proof before we can support you."
Each may be partly rooted in a real concern, but each turns a compliance issue into a barrier.
A better script gives staff a safe route:
"I cannot discuss account details until we complete an identity check, but I can explain the ways we can verify you or record an authorised support person."
"We cannot take card details by email or write them in notes. I can offer the approved secure payment options, including the assisted route where the portal is not accessible."
"You do not need to tell me a diagnosis for routine support. I need to know the practical adjustment that will help you use the service."
"If the standard identity check does not work, I can escalate to the alternative verification process."
That is not cosmetic. It reduces over-disclosure, supports fairness, protects account security and improves evidence.
Evidence and records
The evidence pack for a digital and payment journey should show that the organisation assessed both security and access.
Useful records include:
- a journey map covering registration, login, authentication, payment, support, complaints and rights requests;
- a data-flow map for payment and identity-verification data;
- a DPIA screening note or DPIA for high-risk digital journeys;
- a PCI scoping note or payment security advice for card data handling;
- a record of approved payment routes and prohibited payment handling practices;
- alternative route criteria and staff scripts;
- authentication exception rules and escalation triggers;
- support person verification guidance;
- accessibility and assisted digital testing evidence;
- complaint, abandonment and failed-authentication trend data;
- access controls for payment, identity and support records;
- retention rules for payment logs, call recordings, authentication evidence and support notes;
- sign-off showing who accepted residual risk.
The organisation should also keep records of rejected options. If it decides not to offer telephone payment, for example, the file should explain why and what alternative exists for people who cannot use the portal. "We prefer digital" is not enough where the service is important and exclusion is foreseeable.
DPIA triggers and operational harms
A DPIA may be required where the digital journey is likely to result in high risk to individuals' rights and freedoms. That assessment should not focus only on unauthorised access or data leakage.
Operational harms can matter too:
- a person loses access to an essential service because they cannot pass the standard route;
- payment support fails because the only route assumes private smartphone access;
- a person discloses excessive health or financial information to get an exception;
- a support person cannot assist because staff lack an authority process;
- a person cannot exercise data protection rights because the portal is the only channel;
- identity verification errors block correction or complaint routes.
Those harms may not look like a classic breach. They can still be relevant to fairness, transparency, minimisation and risk to rights.
What the DPO should challenge
The DPO or privacy team should challenge statements that hide design choices behind system language.
"The portal requires it" should become "why is that requirement necessary, and what happens where it fails?"
"PCI says no" should become "which payment data risk are we controlling, and what approved alternative exists?"
"GDPR means we cannot speak to a carer" should become "what authority route lets us help without inappropriate disclosure?"
"Everyone can use the app" should become "what evidence do we have from complaints, failed attempts and assisted digital users?"
The recommended path is a joint privacy, security, payments and operations review of the journey. The strongest design is usually not the one with the most rigid control. It is the one with clear standard controls, safe exceptions, staff guidance and records that show why the choices are proportionate.
How this supports the deep dive
In Deep Dive A, this article shows how vulnerable circumstances can be created or intensified by digital systems, payment design and operational scripts.
The CPD learning point is that GDPR support for vulnerable individuals is not only about recognising sensitive data. It is also about designing routes that people can actually use while still protecting personal and payment data.
A privacy team should be able to ask:
- Can people access support when the digital route fails?
- Are authentication controls proportionate and supported by safe exceptions?
- Are payment controls accurately understood, or is PCI DSS being over-read?
- Do staff scripts reduce unnecessary disclosure and unsafe improvisation?
- Can carers, advocates and authorised support persons be handled consistently?
- Does the evidence show that operational barriers were assessed?
That is where digital governance becomes a fairness issue, not only a security issue.
This article is intended to support the extra learning covered in Deep Dive A: GDPR, Vulnerability and Data Protection Practice. The seven-hour CPD programme is covered through Event A on XpertAcademy, with the Deep Dive hours available for organisations and learners who want more applied depth. You can return to CPD Event A and the Deep Dive A materials here: CPD Event A: Full-Day Regulatory Privacy Training.
Sources
- EUR-Lex, Regulation (EU) 2016/679, including Articles 5, 12 and 35: https://data.europa.eu/eli/reg/2016/679/oj
- Data Protection Commission, Principles of Data Protection: https://www.dataprotection.ie/en/organisations/data-protection-basics/principles-data-protection
- Data Protection Commission, Data Protection Impact Assessments: https://www.dataprotection.ie/en/organisations/know-your-obligations/data-protection-impact-assessments
- Information Commissioner's Office, When do we need to do a DPIA?: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/when-do-we-need-to-do-a-dpia/
- PCI Security Standards Council, PCI Data Security Standard (PCI DSS): https://www.pcisecuritystandards.org/standards/pci-dss/
- PCI Security Standards Council, Document Library: https://www.pcisecuritystandards.org/document_library/
Publication verification notes:
- Re-open EUR-Lex before publication if quoting or checking exact legislative wording.
- Confirm payment-handling statements with a PCI/security specialist before adapting this article to a specific payment architecture.
- Do not add Moodle management links to the article body.