CCR2 Risk, data, and GDPR
GDPR: the time to act is now!
One of the most important new pieces of regulation will impact the industry next year, so this is the time to take action
Deborah Cox Director, Fathom Management Solutions
deborah.cox@
fathom.co.uk
The General Data Protection Regulation – now almost universally known simply as GDPR – has the potential to be one of the most significant pieces of legislation to impact the credit and collections industry in living memory, and with fines of up to 4% of turnover a very threat to business. What makes the situation all the more
scary is the very wide degree of preparedness that we see around the industry. Some organisations are well advanced in their preparations, ahead of the 25 May 2018 implementation date, whereas others seem to have barely started. The message is clear: GDPR is not
something that any of us can afford to ignore, but we also need to recognise that it is a hugely diverse issue, involving many different aspects across your business. So, in this article I would like to give
some thoughts and pointers on a range of issues that you may need to think about, but I would caveat this by saying that it is nothing like an exhaustive list and, the situation will vary from business to business.
Right-party contact You need to make sure you are speaking to the right person and that you are doing all the appropriate Data Protection Act checks. You also need a strategy on how you are going to go about ensuring this, because there are different levels of complexity to it – will a name and date of birth be sufficient, or will you go down the route, like the banks,
26
ten years, but, after that, will it be deleted entirely. Or will the identifying details be obfuscated, with the bare bones kept to assist with analysis work? Again, a clear policy needs to be
The message is clear: GDPR is not something that any of us can afford to ignore, but we also need to recognise that it is a hugely diverse issue, involving many different aspects across your business
established on this and you will need to be clear on what is meant when we say that data has been deleted, what actually constitutes deletion?
Data security I am constantly surprised by how many organisations still send files containing personal data around by e-mail – it is really quite frightening! It is still a surprise in this day and age how many organisations continue to store personal data in an unsecure Excel Spreadsheet on their PCs. We all need to remember that GDPR
applies to companies of all sizes. You must consider whether you need to improve your data-security standards. For example, even if you have a properly
of using a unique identifier, such as the mother’s maiden name? A lot of companies struggle with this
because they are sometimes not clear on what additional checks they should make.
Data retention Currently, a lot of companies simply keep hold of personal information regardless of the reason. Most will have a policy regarding whether it will be held for either six or
www.CCRMagazine.co.uk
secure database, do you sometimes export a spreadsheet to send it out, rather than using a secure FTP site to drop the information into, so that it can be picked up by the receiving organisation?
Auditable customer contact You need to be certain as to why you should have access to particular personal data and ensure that you have a clear audit of how it is recorded and how the data has been used.
November 2017
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52