We need you to provide personal data in order to process your payday loan application. This information includes details such as your first and second name, where you live and the telephone numbers you use and your banking details. Keeping you protected from fraud is a top priority, so we need to confirm your identity and verify your application with confidence.
All personal data collected by any firm will now be subject to the regulations set out in a new regulation called the General Data Protection Regulation (GDPR) and it will be applicable across the EU. Here in the UK, those regulations are incorporated into the Data Protection Act 2018. The new regulations build and expand on the previous Data Protection Act 1998 and essentially strengthen the legislation, giving you more rights and protections where your data is concerned. The changes are numerous but the main ways it can affect you are covered below.
The data we capture is personal to you and is known as personal identifiable data for obvious reasons. Also, now included in that definition is data such as your IP address. This is an example of the way GDPR is updating to changes in technology and the way companies now gather data.
A big change that you will notice is that the tick boxes that you used to come across when filling in forms will no longer be pre-ticked. This is because consent must be captured via an opt-in consent i.e. you must take a positive affirmative action to indicate your consent for your data to be processed in this way. The idea here is that you retain a greater degree of control as to what you are agreeing to with regards to the use of your data.
Anyone processing your data on the basis of you giving consent will need to determine that your consent has not only been freely given with a positive affirmative action but also not a pre-condition of any other service. So, for example we wouldn't ask you to consent to receive our marketing and accept the terms of your loan agreement with one click. Hopefully this is a straight forward change but an important fundamental departure from the regulations under the previous regulations.
Not so much a change but rather a clarification is that any data related communications be they consents or notifications need to be very clear and specific. Vague open-ended statements or long and complex privacy policies are a relic of the past. There is a balancing act however, as any privacy statements now have to contain more information and therefore they cannot help but be longer. However, data controllers and processors must be able to show to interested third parties that they are data subject focused i.e. the consumer or customer is at the heart of what they do. It is good practice anyway for all customer facing documents, promotions and agreements to be written in clear concise and plain language.
To maximise understanding and information availability, whilst minimising complaints and expressions of dissatisfaction should be the goal of any business. As a business we require anyone that has written something consumer facing to read back anything they've written pretending to be the customer. If they can't understand what they've written and the concepts that they tried to get across first time, then it needs another go.
Examples of words commonly used incorrectly:
Ultimately the aim of the new rules and regulations is to put you, the consumer, back in charge of your data and ensure that whatever you sign up for you are clear how and why your data will be used. This is a fundamental building block of the rules. How it will impact business is up for debate. On the one hand most of the rules are pretty similar to what went before so no change there then, but others such as the threshold for consent have changed quite fundamentally.
As before any personal data and information held by a firm needs to be accurate and up-to-date. If a firm shares this data with a third party then they must ensure that they make clear any changes made to the information. Furthermore, if the third party goes on to process the data and they themselves make more changes, they need to communicate these amendments to the original data controller so that there is a clear audit trail of the changes.
Individuals will have better and greater access to any of the personal data that a firm holds. People will have a legal right to view all of this data. This is not new as it was in previous regulations but GDPR makes it clearer and more transparent. In addition, the new regulations detail more clearly, the levels of profiling or direct marketing permitted and on what basis. Consumers are also able to ask a firm that holds their data to delete all of it. Firms will have to honour this request unless they require the data for certain scenarios such as legal proceedings.
In a word no, Brexit doesn't change anything. UK Organisations will still have to comply with the regulations from 25 May 2018. Just for starters, the UK will still be in the EU in May 2018 so will need to comply with the rules. Second, the Government have already confirmed that they will be implementing GDPR regardless of Brexit.