The introduction of a new data protection law earlier this year has had a significant impact on businesses across the UK, including in the collections and purchase sector. The General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018 have brought in new and expanded requirements for companies handling personal data. CSA member companies have to share and hold vast amounts of customer data, much of it sensitive, as part of their core business, which meant they needed to make changes to ensure they were ready for the start of GDPR. Thus far, all indications are that our industry was well prepared for GDPR and we as the trade association put a lot of effort into helping members get to that position – producing and sharing detailed guidance; inviting expert guest speakers to our events and hosting a series of webinars around key data protection issues.
The UK’s information commissioner, Elizabeth Denham, has made clear that 25 May 2018 was only the beginning. GDPR may have started to apply but that does not mean everything is 100% clear and that all firms are compliant. There is still work to be done. The CSA has therefore dedicated a whole stream to it at our UK Credit & Collections Conference on 13 September 2018.
One of the speakers delivering interactive sessions as part of the stream is Toni Vitale, a Partner and Head of Regulation, Data and Information at law firm Winckworth Sherwood. He provides legal advice to clients on data protection and privacy and has previously worked in-house for organisations such as IBM, Virgin Media, YouView TV and BGL Group (owners of comparethemarket.com). He has also been a spokesperson on GDPR in the national media where he has highlighted the unnecessary flood of consent emails into consumers’ inboxes ahead of the 25 May 2018 implementation date. Previous attendees at CSA events will be familiar with Toni’s superb coverage of GDPR, demonstrating his expertise and knowledge by delivering highly informative presentations and workshops. Since Toni’s first presentation for the CSA back in 2014 we have asked him to return to our flagship events year on year due to the value attendees receive from attending his sessions.
At the conference, Toni will be looking at GDPR four months on from its implementation and assessing how industry, individuals and the regulator are adapting to the new requirements. He’ll also consider the regulator’s approach to enforcement under the new law, particularly around the increased potential penalties. And looking to what’s coming next, Toni will be taking a look at developments around the new E-Privacy Regulation.
Ongoing challenges with compliance
One of the sessions at the conference will focus specifically on the challenges with GDPR compliance and provide a practical case study of a Data Protection Officer who has been through the process so far. This will provide attendees with key insight into the day-to-day practicalities and demands of implementing and maintaining data protection compliance. As GDPR starts to become business-as-usual, consumer awareness and understanding will grow and evolve, so it is essential that firms and their DPOs are equipped to respond to challenges and requests efficiently and compliantly.
The GDPR stream will also present a valuable opportunity for members to share their experiences so far. It will be particularly interesting to hear from larger and smaller firms, to see how similar or different the impact and preparation has been.
The regulator’s response
There is a lot of interest in how the Information Commissioner’s Office (ICO) approaches the application of the new data protection laws. In the lead up to 25 May 2018, the ICO has indicated that it is not their intention, at least in the early stages, to dish out fines across every single breach of the new law; instead, they want to work with firms to help them comply. In fact, Elizabeth Denham has outlined her view in a recent blog. Of course, that does not mean the ICO will not be imposing fines; where there are blatant and deliberate or negligent high-risk breaches, they will act accordingly. The ICO has given firms a reasonable idea what their enforcement priorities will be in their draft Regulatory Action Policy, which outlines their approach to taking regulatory action under the new law.
Pre-implementation fears vs post-implementation reality
We will take a look at whether some of the initial fears specific to the collections sector have been realised in the opening months of GDPR application. For example, many members were preparing for an influx of subject access requests, with firms no longer permitted to charge a fee. A number of firms were putting teams in place in anticipation of an increase in requests, fearing that it would present a significant administrative challenge and potentially be exploited as a way of delaying the collection process. At this point, it remains to be seen whether this has been the case.
Another challenge for firms has been making sure that people actually understand what you’re doing with their data and why you’re processing it, and that you do actually have a valid reason to use it. The new requirements to demonstrate compliance and to keep individuals informed has seen a vast amount of lengthy privacy notices landing in people’s inboxes, alongside a number of (potentially unnecessary) requests for consent, and it’s likely that the sheer volume of communications has in fact led to individuals knowing less about how their data is being used, rather than more.
With GDPR still such a hot topic and lots of areas still to understand, I look forward to seeing plenty of you in the sessions at the conference, identifying remaining areas of contention and sharing best practice, to make sure that we as an industry are positioned to maintain and demonstrate data protection compliance well into the future.
Daniel Spenceley, Compliance Manager, Credit Services Association