Press office

News and views on the home credit industry from the CCA and its members

News for Members

21 November 2016

General Data Protection Regulation (GDPR) Demystified

Our members may already be aware of the new General Data Protection Regulation (GDPR) which will come into force on the 25th May 2018 as a result of a ruling by the European Parliament. Despite Brexit, the UK Government has confirmed that GDPR will be implemented in the UK on that date. 

The new regulations apply to ALL companies which process personal data and are aimed at protecting the privacy and security of the data collected by organisations, large and small, replacing the Data Protection Directive introduced in 1995.

In short, consumers need to know how their data is being stored by organisations and what measures are in place to prevent a breach.  The GDPR has been designed to deliver increased transparency and control.

Under the new regulations the definition of personal data will change too and for the first time details relating to genetic, mental, cultural, economic and social information will be classed as personal data.

Fortunately there's plenty of time to comply but the CCA recommends that you start your preparations early.

So what are the key differences?

The main difference which businesses need to be aware of relates to their obligation to demonstrate compliance and accountability under the new regulations:

Consent - conditions have strengthened for consent and any text relating to consent must use clear and plain language in an accessible form and include the purpose that the data will be used for as well as an option to withdraw consent.

Privacy by Design - this means that data protection must be incorporated into the design of the system where the data is stored, rather than a subsequent addition and only the data which is absolutely necessary should be stored and processed.

Data Protection Officers - for some large firms it will be mandatory to have a dedicated Data Protection officer but for smaller firms it will be sufficient to designate someone in the team to oversee the incorporation of GDPR into every stage of your business.

Data Portability - data subjects will have the right to receive the personal data which they have provided and also the right to transfer that data to another company.

Breach Notification - where a data breach is likely to 'result in a risk for the rights and freedoms of individuals' notification will be mandatory within 72 hours of becoming aware of the breach.

Right to be Forgotten (also known as Data Erasure) - the data subject can request that his/her personal data be erased, for example, if the data is no longer relevant to the original purpose or if the individual withdraws consent.

Right to Access - Data subjects can obtain confirmation as to whether or not their personal data is being processed, where and for what purpose and the controller will have to provide a copy of their personal data, free of charge in an electronic format

Penalties - organisations in breach of GDPR can be fined up to 4% of annual turnover for the most serious infringements eg. not having sufficient customer consent or violating the Privacy by Design concepts.

Whilst this may appear daunting initially, there are benefits to be gained by firms who start their preparations early and are able to demonstrate adherence ahead of the pack.  The GDPR provides an opportunity to review and clean your customer data to make sure it's accurate, up-to-date and relevant.  Clean customer data facilitates improved customer interaction, more effective marketing campaigns, lower security risks and less likelihood of regulatory intervention, not to mention a boost in competitor advantage.  

During 2017 the CCA will be keeping our members informed via a series of emails, each focusing on an individual aspect of the GDPR with a view to helping to steer you through the process.  In the meantime, you may find the following resources useful:

Data Protection Self-Assessment Toolkit - https://ico.org.uk/for-organisations/improve-your-practices/data-protection-self-assessment-toolkit/

Preparing for the General Data Protection Regulations - https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

CCA News

CCA News - January 2015 cover

Our quarterly magazine, CCA News, keeps our members up to date with all the latest news and issues affecting the home credit industry.

Download CCA News