GDPR how to get ready within your Credit Management Function
You will have seen a lot of information relating to the new GDPR compliance coming into force in May. Most large businesses have had programs in place since the new year to ensure they comply when the time comes.
Businesses have set up their internal processes to ensure data is mapped and privacy policies have been updated. With the new processes to notify breaches to the regulator within 72 hours in place. Even your internal data, such as emails, files, spreadsheets and paper should now be getting mapped to you can clearly see where the data originated. It will now all be discoverable under the GDPR regulation and needs to be in scope.
However, despite the work by some large organisations, with less than a months to go, we need to make sure smaller businesses are operationally ready.
Main areas you should focus on:
- Legal basis for processing: Whilst the contract with the customer may be relied on in many cases, vulnerable and mental capacity cases are expected to fall under a special data category requiring consent. Ensure you have processes to handle this and be able to answer customer questions on their rights in order to remain compliant.
- Unstructured data: All data, including spreadsheets, files and emails are now included in the GDPR. This will impact non-core and ad hoc processes such as back office and escalations. Ensure you have this data mapped, it is discoverable and needs to be made available under a Data Subject Access Request.
- Data policy: Retention and deletion policies need to be defined and executed against. This could limit your performance MI history and data used for risk modelling unless care is taken.
- Data Subject Access Requests: These currently attract a £12 fee and it is estimated 80% of all requests are deterred by this fee. Under GDPR, this will now be fee-free, with data returned within 30 days, so request volume is expected to increase significantly. Ensure you have adequate staffing and procedures and that staff are trained to handle the volume.
- Control Framework: Ensure there is a robust control framework to monitor performance and evidence compliance. This will be important to ensure sustainability of compliance, protect your brand, customers and company in any audit by the ICO.
There is much more awareness about GDPR requirements than there was back in 2017 with a lot of communication being available in the early part of 2018. Under GDPR, managers are now of course directly accountable for non-compliance.
Making sure you have the processes in place as well as the staff available will ensure that you can comply with the new regulations.
If you feel you need some extra capacity to set up the processes or to implement the changes get in touch and see how we can help you.