As of May 2018, with the entry of the General Data Protection Regulation, there is one set of data protection rules for all companies operating in the EU, wherever they are based.
We will try in this article to explain how GDPR affects debt recovery agencies worldwide. GDPR & Debt Recovery Business.
Stronger rules mean:
- People have more control over their personal data
- Businesses benefit from a level playing field
What does the General Data Protection Regulation (GDPR) govern?
Regulation (EU) 2016/679 of the European Parliament and of the Council, the European Union’s (‘EU’) new General Data Protection Regulation (‘GDPR’), regulates the processing by an individual, a company or an organization of personal data relating to individuals in the EU.
It doesn’t apply to the processing of personal data of deceased persons or of legal persons.
The rules don’t apply to data processed by an individual for purely personal reasons or for activities carried out in one’s home, provided there is no connection to a professional or commercial activity.
When an individual uses personal data outside the personal sphere, for socio-cultural or financial activities, for example, then the data protection law has to be respected.
What is personal data?
- Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
- Personal data that has been de-identified or encrypted but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.
- Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
- The GDPR protects personal data regardless of the technology used for processing that data– it’s technology neutral and applies to both automated and manual processing, provided the data is organized in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.
What constitutes data processing?
Processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destructionof personal data.
The General Data Protection Regulation (GDPR) applies to the processing of personal data wholly or partly by automated means as well as to non-automated processing, if it is part of a structured filing system.
Examples of processing includes:
- staff management and payroll administration;
- access to/consultation of a contacts database containing personal data;
- sending promotional emails*;
- shredding documents containing personal data;
- posting/putting a photo of a person on a website;
- storing IP addresses or MAC addresses;
- video recording (CCTV).
Impact on debt collection industry
With GDPR live as of 25 May, we explore how this will impact debt management strategies-GDPR & Debt Recovery Business – and in particular the ability for companies to use tailored approaches to collections.
Customer segmentation is used to tailor collection strategies to different customer types based on data provided by the customer, from company systems and data purchased from credit reference agencies.
Much of this data is classified as personal data and the new EU legislation will apply to any organization that holds data on EU residents. Therefore, GDPR is highly relevant and may have a significant impact.
10 key things to consider when using personal data for debt management:
- The old data protection rules are still relevant and have generally been tightened up, so expect more rigor under GDPR.
- You may have many more data subjects than customers. GDPR considers each and every person a data subject and the rules are equally applicable to all. While you may bill ‘ABC Limited’ as your customer, any employees, alternative contacts and named individuals on the account will be classified as data subjects.
- Automated decisioning, including profiling, may be permissible. If you can successfully argue that the customer has provided explicit consent; there is a contract in place; or that the automated decisioning process has no legal or material effect on the customer, automated decisioning will be allowable. Segmenting customers to allow for different debt treatment may be determined not to have a material or legal impact on them, but this may need to be tested in a court of law.
- Supplementing automated decisioning with manual input should override potential issues with segmenting for debt treatment. Where automated decisioning is determined not to be allowable, it can be resolved by incorporating an element of manual review or oversight so the process is not fully automated.
- Previous automated decisions may need to be manually reviewed. Where previous automated decisions have a continuing legal or significant impact on customers, a manual review may be required in order to maintain compliance.
- Tell your customers how you use their data. Gaining explicit agreement for gathering, using and sharing personal data is a key development in GDPR but is not thought to be relevant to data gathered for the purpose of credit scoring. Companies will continue to issue a clear statement about the data being gathered and how it is used.
- Respond to customers data queries and complaints promptly. Establish processes for capturing requests from data subjects about how their personal data is held, used and the outcome of any profiling. It’s important to have a process in place for dealing with them within one month.
- Careful who you share data with. If you share personal data with other organizations, it’s your responsibility to inform them if the individual exercises their right to be forgotten. Similarly, if other organizations have shared data with you, you’ll need to respond within one month to a legitimate demand for erasure.
- Notify the Data Protection Authority quickly. For certain data breaches that are likely to have a significant impact on the subject, companies will need to notify the Data Protection Authority within 72 hours. Make sure you understand which breaches must be reported.
- Get GDPR right, it’s too expensive not to. Serious breaches of GDPR will attract a maximum corporate fine of up to 4% of global sales, which could be very hefty indeed.
Eventually, when we think about GDPR & Debt Recovery Business, we realize that the GDPR is there to protect the data of individuals and is not a barrier for businesses.
TCM Egypt helps clients with debt collection in Egypt and worldwide, debt recovery in Egypt and worldwide, accounts receivable management, and business investigation in Egypt and worldwide.
