Free Guide to GDPR For Credit Managers

16th November 2017.

The impending General Data Protection Regulation (GDPR) probably keeps cropping up in conversation here and there. You’ve either thought a lot about it, or not at all.

Well if you are a credit manager (or really any business manager at all) who stores or shares any kind of data,  it might be worth getting a handle on. Sooner rather than later.

Below is a brief guide to how the upcoming GDPR legislation will affect you credit managers out there.

Are you sitting comfortably?

What the GDPR is All About

The General Data Protection Regulation (GDPR) is a new set of EU rules and regulations for data protection, and more specifically; personal data.

This new legislation has long been in the works.

Originally proposed back in April 2016, it is due to be enforced on 25th May 2018. The new regulation will replace our current Data Protection Act, and will focus on uniting all the countries of the European Union through one piece of data legislation. It will also concentrate on the handling of personal data outside the EU, providing the data is directed at EU citizens.

Tougher fines will be introduced for companies that breach compliance requirements, as well as offering citizens more control over what is done with their data across the EU. It has been confirmed that Britain’s exit from the EU will not stop our participation in the GDPR, and the UK government has agreed to observe EU law within the new legislation.

How it Will Effect Businesses

The GDPR is all about offering individuals more control over their data, giving them the power to erase it, alter it and seize it.

While giving individuals complete rights over their financial information may have ramifications, fines of up to 20 million Euros will be directed at businesses who don’t comply. The new regulation will affect all countries within the European Union, as well as outsiders who still conduct business within the EU.

The execution of GDPR will further affect the way businesses conduct their marketing and sales activities. Under the new data laws obtaining consent is more complex, with agreed consent necessary for sending out newsletters, flyers or even email advertising within a company. This will also follow when a consumer opts out of a company’s marketing, a simple ticked box will no longer suffice.

How it Will Affect Credit Management

Credit management is becoming increasingly reliant on data, we place a lot of confidence in the digital, electronic interaction, and the data trail it leaves. We use these to guide and inform our customers and clients, and it drives efficiency and enhances relationships.

The new GDPR regulations are placing certain limits and restrictions on the way credit management, and collection companies, do business. Control is being handed over to the individual, and credit management companies may struggle to make well-informed decisions as a result. 

Financial bodies such as the Credit Services Association have lobbied for changes to be made to the regulation, and while some have been altered accordingly, credit management and other financial services may have to adapt to this new consumer-driven landscape.


The key elements credit managers need to consider with the impending launch of GDPR are; Increased Transparency, Consent-Based Data Processing, and the Loss of Data, please keep reading to find out more!


 1. Increased Transparency.

Credit managers will soon have to boast a more open and forthcoming approach to personal data.  Individuals should know everything in regards to their data, and this is a special consideration to EU lawmakers. Businesses who operate under inadequate measures will see consequences.

Debt collection companies and credit management companies will need to take extra care when calling their Clients, Customers and Members as stricter outlines have been set by the GDPR. For example, if the caller’s identity cannot be proven from the number e.g. a work number, this has now been deemed as unacceptable practice.

All action involving the individual’s data will need to be conveyed to the subject first, informing them of the source of the data, how it was obtained, and of course the credit controller’s contact details which he/she must provide. If anything changes with the data, if it is transferred to a third party, or even if the individual wishes advice on withdrawal methods, these must also be communicated.

The most common way to relay to the subject how their data will be used, is through a privacy notice. This information will need to be clear and intelligible, and in simple language for the consumer to understand. This will be particularly difficult within credit management, where information can be technical and complex, and due care will need to be taken. For further information about the privacy notice GDPR requirements, see the ICO website.

  2. Consent-Based Data Processing

One of the biggest changes Credit Managers will face is that data processing will become more consent-based.

When a company  needs the consent of the data subject, this must be freely given and unambiguous. It must include a positive ‘opt in’ or ‘opt out’ with no reliance on pre-ticked boxes or presumptive silence. When credit management or collection companies conduct marketing stratagems, they will need to get positive consent from the customer before using their contact details on email subscription lists or social media websites.

While giving people control over their personal data is of course a good thing, it does subsequently take the power away from businesses that, in some circumstances, may be better informed than the individual.

When individuals withdraw consent for example, this puts credit management companies in a rather precarious position. Giving people the right to hide their data from financial institutions means individuals who are in debt and avoiding payment, will be harder to locate and could potentially end up in a dire financial situation as a result.

The current data protection act has safeguards to prevent such situations, and The Information Commissioners Office (ICO) has confirmed that these will still be place within the new law. These “legitimate interests” have been put in place by GDPR to allow controllers to use personal data in strict circumstances, even when the data subject’s consent is not possible.

Even with “legitimate interest” the individual still has the power, and controllers wishing for information, with or without consent, still need to follow strict guidelines. Individuals still need to be informed of the request for their data, and the controller can not ask for excessive information or anything irrelevant or out of date.

 3. Data Loss

Individuals will now have the ‘right to be forgotten’ or the right to erasure. This gives them the right to delete any files and data that are no longer classified as necessary.

This can be a direct result of withdrawal of consent, or when the original purpose of the data is no longer valid e.g. debt is recovered, or even when the data was processed unlawfully or without legal obligation. Under the current data legislation individuals are only allowed to request you delete files when the process has caused distress or damage, under GDPR these restrictions will be waived.

There is a growing fear for the collections industry that through these requests for erasure, the level of information available will be reduced. This could lead to increased operation expense for the industry, as well as further issues for the individuals they are trying to protect.

For instance, while the individual’s data may not be seen as ‘necessary’ at the time, if there are any future debts or lending involving this individual, the agency will be less informed and therefore less likely to reach a positive solution. If previous debt behaviour histories are not available because they’ve been asked to be deleted then the credit provider and the collector will have less information to base future credit decisions and collection policies on.

Obviously with such potential for impact, this encouraged discussion from credit reference agencies, and as a result some safeguards have been put in place. Certain “legitimate interests” are again permitted, and similarly customer account details will still be able to be passed to third parties e.g. debt collection companies.

As with the guidelines surrounding consent, the individual will always need to be informed of any ‘legitimate’, or otherwise, interest in their data.

Action For Now

In preparation for the new regulation, the Credit Protection Association recommends that all our Member companies appoint a Data Protection Officer to oversee and manage all data issues. This person can be hired within the company and will inform your business on its GDPR obligations, monitor compliance with the new legislation, and of course be first point of contact for any data-related queries.

Make sure you can identify the personal and sensitive data that you hold and who has access to it. Make sure you know why you are holding the data and what your grounds for processing it are. Find out what are the high-risk data handling processes in your business and look to how to improve them.  GDPR is not just a business risk, it can also be an opportunity. As you investigate and make changes, you will likely be able to identify ways to improve and streamline your business, differentiating it from your competitors.

Businesses should take a fine-tooth comb to their policies, procedures, and safeguards to make sure they comply. Insure your staff are well and truly in the know on what to expect next year.

The Credit Protection Association is taking GDPR very seriously, reviewing all its processes and looking to make changes where necessary. We encourage all our Members to do the same.

The way we process our data is changing shape, and within credit management where data is so essential to the way we conduct business, this is something we cannot avoid. Although the new law will not come into play until next May, businesses should not delay preparations. When the consequences are large fines, complacency is somewhat dangerous.

Ultimately please be ready, be informed and be prepared.

Ella Bond, 16/11/17

See our previous posts

Information Commissioner’s Office dispels GDPR Myths

Are You Ready for GDPR?

Profiling Under the General Data Protection Regulation (GDPR) (UK)

The Credit Protection Association is a credit management company established in 1914. If you supply goods or services on credit then we can help you!

See all our latest news here!

Keep up to date with the latest news by following us on social media:-

CPA on Linkedin

CPA on facebook

CPA on twitter

Watch the video to find out how CPA can help you!

Read Our Blog – How to overcome common excuses for non-payment

Read our blog – Debt collection agency

Read our Cash Flow Advice

Read about our overdue account recovery service

Read our blog – What is credit management?

Read our blog -What is a credit management company?

Read our blog -Credit Management that works!

Read our blog – How to select a debt collection agency

click to see read about our successes

Please call us on 0330 053 9263 to discuss how CPA can help your cashflow. Alternatively, either email us or use our contact form.

I consent to supplying my personal information that may be used for marketing purposes and agree with the privacy policy.