No, customer data should not be submitted to GRA unless there is a specific approved pathway, clear legal authority, appropriate consent or lawful basis, data minimization, and explicit authorization from the relevant organization.
Customer data may include names, contact details, account records, transaction history, policyholder information, borrower information, claims information, financial records, health information, location data, usage data, payment data, behavioral data, or any information that can identify or relate to a customer, client, citizen, patient, policyholder, borrower, investor, or end user.
GRA does not need customer-level data for ordinary onboarding, sector platform participation, National Stewardship Council work, finance-readiness intake, sponsorship interest, institutional participation, or general Nexus Universe preparation.
Where a risk or resilience issue requires evidence, participants should submit aggregated, anonymized, synthetic, public, or properly approved summary information wherever possible. Even anonymized information should be handled carefully if re-identification risk exists.
Do not submit customer data through email, chat, messaging apps, ordinary forms, or informal workspaces.
If customer data is ever required for a specific controlled analysis, that must be separately scoped, authorized, legally reviewed, and governed by appropriate data handling controls. In most GRA contexts, customer data should stay out.
