Who does GDPR effect?
All organisations who process personal data are responsible for complying with the GDPR including finance providers, brokers and retailers.
How is GDPR different to the Data Protection Act?
Definition of personal data
Under GDPR the definition of personal data is much broader covering IP addresses, mobile phone device identifiers, geolocation and biometric data reflecting technological advances.
In certain cases firms must make sure that they have express consent from individuals in order to capture and record their personal data. This requirement depends on the type of data and the purpose it is being processed for. For example, if information is collected as part of a credit application, this can be performed under the “legitimate interest” basis and express consent would not be needed. However, if you are collecting information about a medical condition, you will require the customers’ express consent to hold the data. Where express consent is needed this should be obtained separate to the agreement.
Along with the right to access the data a business holds about them, GDPR also allows individuals to request information about where their data is being used and for what purpose. This information must be provided along with the personal data held, free of charge.
GDPR also introduces the ‘right to be forgotten’ or the ‘right of erasure’ which means that on request data controllers must erase all of the personal data they hold about them, and, if applicable halt any third party use of that data. However, this right only applies in certain circumstances. Individuals can also request to have their data transferred from one good or service provider to another.
Firms must issue individuals with a “privacy notice” which explains a number of factors including what personal data is being collected, how you will keep the personal data and what you will do with the data. Where you are passing personal data to any third party you should ensure that it is clear to the individual that this will be happening and who that third party is, for example; when data is being passed to a finance provider for the purposes of a credit application.
Data retention policies
Firms may also wish to update their data retention policy, outlining the key features of how, why and for how long personal data is stored. This should also take into account obligations under other legislation, rules, codes or practices, such as the FCA Handbook and the Consumer Rights Act. Therefore it is very important for firms to consider the nature of their business and for what purpose they might need to access customer data in the future, such as to resolve a complaint.
What do firms need to do?
Motor finance dealers, brokers and lenders will therefore need to:
- review their approach to how they manage data protection;
- review the contracts and other arrangements which they have in place when sharing data with other organisations; and
- ensure that any privacy notices given to individuals about how their personal data is processed, and data retention policies, are updated to comply with the GDPR.
The Information Commissioner's Office (ICO) has developed a number of useful resources to help firms, including a 12 step checklist to prepare for GDPR, and a GDPR FAQs document. The SAF Data Protection module will also be updated ahead of the implementation of GDPR.