General Data Protection Regulation
Although it won’t apply until 28 May 2018, credit firms should be preparing for the new General Data Protection Regulation (GDPR) now.
It is a piece of European legislation which is set to replace the UK’s current data protection legislation, the Data Protection Act 1998.
Both the ICO (the UK’s data protection supervisory authority) and Karen Bradly MP (the Secretary of State for Culture, Media and Sport) have made statements confirming that GDPR would still be relevant to the UK, despite the referendum vote to leave the European Union.
Of course, if you do business in European member states or process personal data about EU subjects, then you will need to comply with GDPR, regardless of the UK’s eventual relationship with the EU.
It will affect any organisation that processes personal data – including employee data. It will also introduce new rights for individuals concerning their access to their own data and the manner in which it is processed.
The new legislation will increase accountability for data protection and will give individuals more rights in relation to their data (including access rights).
It introduces new obligations for reporting data protection breaches and removes the option for organisations to charge a fee for subject access requests. The changes to data protection legislation are going to mean that firms will need to scrutinise their data protection practices to ensure they meet the new requirements.
There will be tough new sanctions for organisations who fail to comply with the GDPR and individuals will have increased rights to claim compensation.
Although the new legislation retains many of the core principles and aims of existing data protection legislation, it introduces a number of new requirements for firms:
- Heavier financial penalties
- Processor liability and relationship with controllers
- Privacy notices / fair processing notices
- Special categories of personal data
- Subject Access Requests / rights of access
- Documenting processing activities
- Data Protection Officers
- Breach notification
- Data protection by design and by default / Privacy Impact Assessments (PIAs)
- Transfer of data
- Right of erasure / right to be forgotten
- Right to restrict processing
- Right to object
- Rights related to automated decision-making and profiling
We have recently published detailed guidance for our members on exactly what they can do to address each of these factors – and this is something we are encouraging them to start doing now.
We’re also developing a Code of Conduct for GDPR through the Federation of European National Collection Associations (FENCA) which will help the debt collection sector apply best practice.
Making legislative changes work for your organisation is down to constant learning and development that takes each new requirement as an opportunity to further improve practice.