The new general data protection regulation will soon be upon us. For any businesses using credit reference agency (CRA) services, whether it’s credit checking or identity verification to help fight fraud, urgent steps must be taken to ensure these services can be maintained.
Data sharing between lenders and CRAs and other authorised organisations helps consumers access appropriate products, receive relevant communications and better manage their finances. Any businesses which share credit data that haven’t yet engaged with their CRA must do so as a matter of urgency, as it’s essential that they direct customers and prospective customers to the right information on how their data will be shared with and used by CRAs.
To maintain the public’s trust and facilitate the ongoing sharing of data, the industry must make sure privacy notices are compliant and consumer friendly. Equifax has worked closely with other CRAs to launch an industry-wide Credit Reference Agency Information Notice (CRAIN)* which provides standardised wording defining the standards that all three CRAs will apply when processing consumer data. CRAIN supports GDPR’s drive to enhance consumer rights and transparency over their data, providing clarity over the role of CRAs in the financial industry.
Businesses sharing data with a CRA must use or signpost customers and prospects to CRAIN, to ensure they receive clear and consistent information about how their data is managed. For new customers, clear direction at the point of application is important; a link to access CRAIN at a later date is not acceptable.
The following steps must be taken for each application to ensure a prospective customer understands how their personal information is used and kept safe, and their rights to access, control and correct information held on file:
Online applications – Your customers should already be referred to your fair processing notice (FPN) at the point of application to advise them what your company, as a lender or business, and a credit reference agency (CRA) will do with their data. From 25 May, CRAIN should be incorporated.
Offline applications – You will need to provide an off-line route to access information about CRAIN, such as printed copies.
Telephone applications – You will need to enable the consumer to access your FPN at the point of application rather than at a later date/time, by providing clear, spelled out URLs as part of the phone script, or via a paper copy.
Steve Martin, Data Protection Officer, Equifax