Late last year I attended an event in London on compliance and control within the Collections and Recoveries area.
The question was asked, “By show of hands, how many of you have heard of or are preparing for the implementation of GDPR?”; about three hands went up.
It was quite a shocking sight, both given the audience and the level of potential fines that could be applied. Clearly greater awareness was needed.
Since then, visibility for GDPR has increased. With the legislation proposed this month by the UK government, there has even been greater interest and coverage within the media – a positive development.
However, data is the lifeblood of the Collections and Recoveries industry. With such potential for significant impact, GDPR is a topic that we need to be fully aware of – understanding and safeguarding against the potential impacts on business.
GDPR origins and meaning
GDPR is the General Data Protection Regulation. It is EU legislation, due for implementation in May 2018.
This legislation is an enhancement to existing data protection legislation (e.g. UK DPA 1998). The intention is to bring the rules up to date for the modern environment (e.g. cloud computing, data processing, social media, ‘big’ data). It is applicable to any company that exchanges or holds data with someone within an EU member state.
This is applicable in the UK, which will still be an EU member in May 2018. However, the UK is introducing legislation, so it will also be embedded in UK law too.
Either way, if you are in the UK, this applies to you.
The GDPR key requirements
The legislation builds upon many existing requirements, strengthening where required. A useful summary of changes under GDPR has been provided, summarised below.
- Consent: Consent needs to be clear and accessible, being as easy to withdraw as to give.
- Data breaches: Breaches of data need to be notified to the regulator within a 72-hour window and to customers ‘without any undue delay’ once discovered.
- Right to Access: Customers will have the right to access a copy of their personal data, free of charge.
- Right to be Forgotten: Customers also have the right to be forgotten and have their data erased, where the data is no longer relevant or the customer withdraws consent (this is with some constraints around legitimate interest).
- Data Portability: Data can be received in a format that can be sent elsewhere.
- Privacy by Design: Privacy needs to be included within the system design, not an add-on.
Penalties for non-compliance
Under GDPR, organisations in breach of regulations can be fined up to 4% of annual global turnover or €20 Million (~£17m), whichever is greater. The fines are tiered depending on the specific details of non-compliance, however still significant vs the previous regime which had a limit of only £500,000.
Getting your organisation ready
The ICO has already released a good paper on steps organisations need to take in order to be prepared. They are as follows:
- Awareness: Ensure there is awareness of GDPR across your organisation.
- Documentation: Document the information you hold on customers.
- Review of current privacy notices: Ensure they are compliant.
- Individuals’ rights: Review of processes to ensure rights, such as provision or deletion of personal data, can be covered.
- Access requests: Ensure suitable processes are in place to handle access requests within the timescales (30 days).
- Lawful basis: Ensure lawful basis for processing personal data.
- Consent: Review processes for seeking, recording and managing consent per the new regulations.
- Children: Ensure there is ability to record and identify a customer’s age (if children).
- Data breaches: Ensure procedures are in place in advance, for action, should a data breach occur.
- Data protection: Needs to be included by design.
- Data protection officers: Appoint a data protection officer.
- International: Understand the implications if you work in more than one EU member state.
Impacts for Collections and Recoveries
Over the last ~20 years, data has increasingly become the lifeblood of Collections and Recoveries. We have become more and more reliant on digital, electronic interaction, and the data trail it leaves, to inform and guide our processes. It has driven efficiency, increased the accessibility of credit, brought down costs and enhanced interactions with the customer.
In part GDPR places some limits and controls around these processes. It has the objective of providing a higher degree of consumer protection, which is undoubtedly positive for the customer base.
However, with the current reliance on data, it is not without potential for impact.
Losing data or consent
The big fear for the collections industry is that, either through withdrawal of consent or by request of erasure, there could be a reduction in level of information and data available.
This data is currently used on a daily basis to inform actions, efficiently tailor solutions for customers and trace those that have moved.
Loss of this data would have impacts to the cost of credit, increasing operating expense and the impairment charge.
Obviously, with such potential for impact, this generated some discussion during the consultation period (particularly for credit reference agencies). As a result, there are some safeguards to allow this information to be processed under the legitimate interest wording.
Similarly, the view is that customer account details will still be able to be passed to third parties e.g. DCAs, as this is in the legitimate interest and on balance a reasonable course of action.
However, the company will still have the requirement to inform the customer of the legal and legitimate interest pursued.
Customer profiling limits, increasing transparency
Additionally, within the data science industry (the good folks that build our risk scoring models) there are a couple of further impacts.
GDPR will place some limits around customer profiling, ensuring greater transparency on automated model decisions. The customer will need to be aware of and understand the consequences of such profiling.
There are also provisions to provide the right to an explanation of any automated decision (e.g. why a credit application was declined) and safeguards for bias/discrimination.
In short, we could see changes to the volume and level of detail of data available for Collections and Recoveries processes. This is something we need to monitor for.
Action for now
The exact size, speed and extent of these impacts are still to be determined; however, what is certain is that changes are underway that will impact us all.
It is going to be critical to have the infrastructure to monitor and prepare for any changes in data quality within the collections and recoveries process.
Additionally, consent and transparency need to be included within our processes, linking into any wider organisation process for data breaches and changes. This is a ‘must ask’ question for any new system implementation or pending change. It will be important to have infrastructure ready and in place.
Lastly if your organisation does not have a data protection officer and/or you have not heard about GDPR at work, you need to raise this now and take advice.
These changes are coming down the road for us all, at speed, and are something we cannot avoid. With scope for such large fines, complacency is somewhat dangerous with such short time frames.
Be ready, be informed and be prepared.
What are we doing now?
Arum is currently working with a number of clients on collections and recoveries systems selections where GDPR compliance has to be considered. We are also helping organisations improve collections and recoveries strategy and operations to help them cope with the coming performance challenges. Please contact us if you would like to know more about this.
Chris Warburton – Lead Consultant