A guide on GDPR for debt collection
With GDPR coming into effect at the end of this month, businesses are in a race to the finish line to make sure their data is GDPR compliant before this week’s deadline (25th May 2018). From IT to marketing, these new regulations will affect many key areas of a businesses’ day-to-day running and debt collection is no exception; despite the headlines around this area being a bit quieter. If you outsource your debt collection to agencies, or you yourself are a debt collector, here are some key points to consider when it comes to debt collection and GDPR:
One area of GDPR particularly worth noting when it comes to debt collection is article 4, where GDPR sets apart data ‘controllers’ from ‘processors’.
A controller is defined as a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.”
In contrast, a processor is defined as a “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
In most cases, debt agencies will therefore act as a processor – but this doesn’t mean less responsibility. Previously, controllers would take most, if not all, of the responsibility; however, under the new regulations, processors are equally as liable for how they handle data and what they do with it.
Here are some of the key points of GDPR debt agencies need to consider when handling third-party, personal data:
Before you go chasing a late payment, it’s vital that the data you’ve received has been given with consent. While you are not directly responsible for this, you are responsible for making sure any data handed over to you by a business has the consent of the individual – otherwise you’ll both be liable if found in breach of GDPR.
2. Data breaches
Breaches of data need to be notified to the authorities within a 72-hour window and to customers ‘without any undue delay’ once discovered. In regards to debt collection, this would also involve the business you’re collecting the debts on behalf of.
3. Right to Access
Individuals will have the right to access a copy of their personal data, free of charge. While debt collectors are acting as third-parties, they are still equally responsible for how the data is held and stored.
4. Right to be Forgotten
Individuals also have the right to be forgotten and have their data erased, where the data is no longer relevant or consent is withdrawn (this is with some constraints around legitimate interest). It’s therefore vital that a debt collection agency’s database is up to date and when an individual’s data is removed, it is done so completely.
5. Data Portability
Under GDPR data subjects now have the right to request that their data is moved and if this happens, the process must be completed within a month. It’s therefore vital that debt collection agencies not only have their data organised, but also in a format which can be easily transported.
6. Privacy by Design:
Privacy must now be ensured throughout the whole process of debt collection. It is no longer seen as an add on – so from the day you are given the details of a late payment, to the day you secure it; this must be done so with the privacy of a subject’s data as a number one priority.
This is only a brief introduction to GDPR, for a more detailed insight you can visit the ICO’s website.
To find out more about DebtCase, click here.
- blog (5)