Collectors in Europe who have been ignoring GDPR because it was risk’s problem, or the CIO’s problem, or the compliance team’s problem should think again. GDPR could well be a four-letter word for collections.
You’re probably familiar with the General Data Protection Regulation, Europe’s attempt to create a single, enforceable standard to protect the freedom and rights of EU citizens. But you might not have thought much about it from a collections perspective.
I just presented a webinar on GDPR in collections, so I’ve got an hour’s worth of material if you want to listen to it. However, I’ll keep it brief here and just give you 11 takeaways to ponder:
1. It applies from 25 May 2018. You have a year to get comfortable with it.
2. It’s not just about social media data. That’s how it started, but it broadened into an all-encompassing piece of regulation by the time it went into force last May.
3. Consent isn’t what it used to be. You can’t assume a customer has given their consent to use their data just because it’s in your T&Cs. They have to give their consent to specific use of their data. They can also withdraw that consent when they want to, and if they do you have to basically stop using their data. Also, if you (or one of your agencies or partners) obtains a new data source on your customers, their previous consent may not cover that.
4. Breach notification is mandatory, and fast. The GDPR classes anything over 72 hours as an “undue delay,” and institutions need to report the numbers involved, what happened, how quickly it was closed down, the implications and impact and what’s being done.
5. Erased is the new forgotten. The “right to be forgotten” has become the individual’s right to erase all the data related to him or her on a number of grounds, including compliance. Their rights override your interests. Now, they don’t have the right to erase data that is used to ensure that a legal obligation is met, so most of the data used in collections should be fine. But if you’re looking at other data sources — especially those that include religion, gender, cultural data – be careful.
6. You may have to defend your data. Regulators and your own protection officer may ask questions like: Why do you need this data? Why do you hold onto it so long? How was it validated? Is the way you’re using the data entirely consistent with what the customer gave consent for? Furthermore, customers have the right to challenge decisions made automatically using algorithms, which could lead to sticky cases of defending how a model was developed, what data it uses and how people score.
7. You may have to hand over your data. Under GDPR’s portability rules, a customer can request all the data you have on them, and can also have it transferred to another provider. Is everything you’re using portable, including any promises to pay or other customer conversations? No one knows how far people will go with data portability or erasure, but you can be sure there will be an army of counsellors, advice agencies and lawyers urging people to pursue their new rights.
8. Your protection officer is your new best friend. Your organization needs a formal data protection officer who make sure you’re doing GDPR right. This isn’t the same as a compliance officer. You should get to know this protection officer, and start by educating them on what data you hold and use in collections.
9. Your staff need to know this stuff. They need to be able to identify the signs of a data breach, and they need to know the rights of customers. You don’t want to be exposed because your agents don’t know what to do when a customer asks to withdraw consent, or erase their data.
10. It’s not just your protection you have to answer for. Say you pass data to a business process outsourcer, or a DCA. How good are their data defences and procedures? You could be liable. If one of your agencies had a data breach, who would pick up on that, and how would you find out?
11. Fines for non-compliance are going to hurt. For instance, a recent breach at a UK bank was fairly well-handled by the bank, who shut down the leak and informed their 40,000 compromised customers right away. Under GDPR, they could have been fined up to 4 percent of turnover, which would have been more than a billion euros.
Have I scared you yet? Now is the time to make sure your organisation isn’t going to be one of the early examples cited in the press as completely unprepared for GDPR. Ask yourself: Am I ahead of the game with my GDPR readiness? Part of crowd? Lagging behind?
You can go deeper into this topic in my webinar. And watch this space, because next I’m going to talk about IFRS 9 and collections. You just know that’s going to be fun.