With the GDPR deadline fast approaching, we spoke with Neil Bentley, Head of Legal at Callcredit, to discuss what the regulation change has meant for our business and how we’ve prepared for it.
Neil has worked closely with the relevant teams across Callcredit and has contributed to resources that have been issued to clients and published on our site.
Starting with something topical: GDPR comes into effect against the backdrop of the Cambridge Analytica and Facebook story, do you think the regulation changes will be a tool for brands to help them begin to win back trust with consumers around marketing and messaging?
The Cambridge Analytica story shows just why we need GDPR. Individuals need protecting from big business misusing their data. Under GDPR we, as consumers, will know that we are in control – we can demand to be informed, to have access to our data, to correct it, to move it to new providers and, in most cases, to have it deleted.
Being transparent with consumers, especially when doing innovative things with their data, will be vital for technology businesses going forward. Hiding information away in obscure, lengthy T&Cs or persuading a consumer to part with vast amounts of personal data in exchange for some free app have to become things of the past.
That make sense. Thinking about the opportunity this presents, how do you feel the industry has tackled GDPR and how effectively do you think the changes in what can and can’t be done with data has been communicated to the consumer?
As you’ll know from your home inbox, many businesses are now actively seeking consent or reminding you of their presence to meet GDPR requirements. It’s good to see the new regulations being embraced. There will be a whole range of approaches though – some adhering to the letter and spirit of the GDPR and others not quite getting it.
As a data business, we’ve taken GDPR very seriously and had a two year programme, making some tough calls along the way. Others haven’t (perhaps they thought it wouldn’t happen?) so they are trying to catch up in a very short space of time.
It will be interesting to see how the media talks about the changes in the coming weeks and months. We’ll no doubt be hearing a lot about the ‘Right to be forgotten’ and ‘Data portability’, but without the nuance of the legislation and ICO’s guidance. We’ll need to do a lot of explaining, particularly when people want to delete their CCJs and defaults!
Looking back over the past few years, can you summarise the actions we’ve taken to become GDPR compliant?
We’ve been preparing for GDPR since the text of the regulation was finalised in April 2016. We see the new regulation as a cultural change impacting all aspects of our business and how we work with our clients and consumers. Rather than a series of technical or compliance challenges in data protection, we’ve viewed it as an opportunity to shift the way we think about and use consumer data.
We’ve worked hard to make sure we understand the potential impacts of GDPR and updated our data, products, services and processes to align to the new regulatory requirements. Changes have varied from simple things like updating privacy statements right through to assessing the data we source and use, and contracts being reviewed and updated.
We began by reviewing our top-selling products, to assess the gap and the work needed to bring them up to the GDPR standard. The Product team then turned those assessments into GDPR-ready releases, working through our entire product suite.
We’ve also focused on internal processes, including training for all staff and enlisting the help of volunteers to act as ‘GDPR Champions’ in every team across the Group – they documented each process and the data involved, and delivered action plans to make them compliant.
We’ve worked with the other CRAs too to develop the industry-wide ‘Credit Reference Agency Information Notice’ (or CRAIN), which clients are now linking to with every credit application.
Focusing in on the product changes you’ve listed, what will clients find different about our products post-May 25?
Most Callcredit products will be just the same – the same APIs and web interfaces as before. The changes have been made behind the scenes, ensuring that products deliver accurate data in a manner that both respects the rights of consumers and is transparent to them. We’ve also built in better processes to track how data moves between our back- and front-end systems.
We’ve retired some products and features, mostly where these relied on consumer consent or would have taken too much work to make GDPR-ready. Where this has happened we’ve worked closely with our clients to understand any potential impact and provided alternative solutions where appropriate.
Consent is much harder to obtain from 25 May. We’ll be replacing some of these products, but this will take time and depends on collecting the right data in a compliant manner.
“ Throughout our preparations, we’ve focused on minimising the potential disruption and cost of GDPR for our clients by keeping change for users to a minimum, while also making sure we provide compliant products and services.”
How have we as an organisation embraced GDPR so that it becomes part of our everyday activity?
Data protection is core to our offering. The GDPR provides a much needed update to how businesses view, use and process data and takes account of the digital era we now operate in. Throughout our preparations, we’ve focused on minimising the potential disruption and cost of GDPR for our clients by keeping change for users to a minimum, while also making sure we provide compliant products and services.
We are running a Data Protection Act compliant organisation: GDPR shifts this up a gear, requiring that we are not only compliant but that we can demonstrate our compliance too – the GDPR’s ‘accountability’ principle. We must expect to have to do this, for consumers, clients and regulators alike.
Operationally, our business-as-usual processes will reflect our need to be more transparent about data use (through CRAIN, new fair processing notices and new search footprints) and to keep more records (with our Data Asset Catalogue, Records of Processing Activities and our documented data governance processes throughout the data lifecycle).
As I mentioned before, GDPR is not about compliance by box-ticking. It requires cultural change, which always takes time.
As GDPR becomes the norm for organisations handling data, are we likely to see further GDPR guidance from the ICO and, looking to the horizon, what other related regulation is it good to keep in mind even at this early stage?
The ICO has been very active as the 25 May deadline approaches. Some guidance has yet to be finalised, hopefully we’ll see that soon. Undoubtedly, ICO guidance will be refreshed and revised as consumers, businesses, regulators and the courts work out what GDPR should mean in practice.
Once the GDPR is live we will also have an EU-wide ‘European Data Protection Board’, which will seek to harmonise the application of the GDPR in over 30 countries. There are currently significant differences in approach to data protection across EU member states, so it will be interesting to see how those differences are ironed out.
Brexit will soon have an impact, but right now we don’t know what that will be. The UK government has already said that GDPR will continue to apply after March 2019, as it wants to ensure free movement of data between the UK and the remainder of the EU. If we are to remain in the European Economic Area, EU data protection laws will still apply to us directly.
Whether future EU legislation will apply in the UK will depend on our ongoing relationship with the EU. For instance, there is a planned ePrivacy directive, to replace the UK’s “Privacy and Electronic Communications” legislation. Watch this space!