Assessing the impact of GDPR on debt management
May 25, 2018
With GDPR live as of 25 May, we explore how this will impact debt management strategies, and in particular the ability for companies to use tailored approaches to collections.
Customer segmentation is used to tailor collection strategies to different customer types based on data provided by the customer, from company systems and data purchased from credit reference agencies. Much of this data is is classified as personal data and the new EU legislation will apply to any organisation that holds data on EU residents. Therefore, GDPR is highly relevant and may have a significant impact.
The simple fact is that until it’s tested in the courts, it’s not entirely clear what the impact will be, but here are 10 key things to consider when using personal data to tailor collections for debt management:
- The old data protection rules are still relevant and have generally been tightened up, so expect more rigour under GDPR.
- You may have many more data subjects than customers. GDPR considers each and every person a data subject and the rules are equally applicable to all. While you may bill 'ABC Limited' as your customer, any employees, alternative contacts and named individuals on the account will be classified as data subjects.
- Automated decisioning, including profiling, may be permissible. If you can successfully argue that the customer has provided explicit consent; there is a contract in place; or that the automated decisioning process has no legal or material effect on the customer, automated decisioning will be allowable. Segmenting customers to allow for different debt treatment may be determined not to have a material or legal impact on them, but this may need to be tested in a court of law.
- Supplementing automated decisioning with manual input should override potential issues with segmenting for debt treatment. Where automated decisioning is determined not to be allowable, it can be resolved by incorporating an element of manual review or oversight so the process is not fully automated.
- Previous automated decisions may need to be manually reviewed. Where previous automated decisions have a continuing legal or significant impact on customers, a manual review may be required in order to maintain compliance.
- Tell your customers how you use their data. Gaining explicit agreement for gathering, using and sharing personal data is a key development in GDPR but is not thought to be relevant to data gathered for the purpose of credit scoring. Companies will continue to issue a clear statement about the data being gathered and how it is used.
- Respond to customers data queries and complaints promptly. Establish processes for capturing requests from data subjects about how their personal data is held, used and the outcome of any profiling. It’s important to have a process in place for dealing with them within one month.
- Careful who you share data with. If you share personal data with other organisations, it's your responsibility to inform them if the individual exercises their right to be forgotten. Similarly, if other organisations have shared data with you, you’ll need to respond within one month to a legitimate demand for erasure.
- Notify the Data Protection Authority quickly. For certain data breaches that are likely to have a significant impact on the subject, companies will need to notify the Data Protection Authority within 72 hours. Make sure you understand which breaches must be reported.
- Get GDPR right, it's too expensive not to. Serious breaches of GDPR will attract a maximum corporate fine of up to 4% of global sales, which could be very hefty indeed.
GDPR is a complex and specialist area. To read more about GDPR and the potential implications visit our GDPR site.
If you'd like to know more about tailored collections, please contact Niall Cooter or Stephen Tebbett.