The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is the most comprehensive overhaul of the way personal data is stored, processed and communicated in this country. As an organisation that handles a significant amount of personal data, it is our responsibility to outline our procedures in a transparent manner and explain what we are be doing to comply with the new regulations.
We have also outlined the basis of the new regulation in a simple and straightforward way. The GDPR is complex and this is not intended to be a complete overview of all the duties we / you need to undertake in order to be compliant. However, it is hoped that by publishing this document, this will enable you to understand how important it is to comply with GDPR, review your organisation’s data processing activities and produce your own policy document.
Introduction to General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016 and came into effect on 25 May 2018. The GDPR replaces the Data Protection Directive 95/46/EC and is intended to harmonise data privacy laws in order to protect the data privacy of all EU citizens. GDPR applies to all organisations (controllers and processors) processing the personal data of EU residents.
For data processing to be lawful under GDPR, organisations must identify and document the legal basis for each of its data processing activities before it processes personal data.
As with the Data Protection Act, you need to gain consent from the person in order to process their data but there are much stricter rules under the GDPR. Following the introduction of the Act in May 2018, your data processing activity must be communicated in a transparent manner – with particular attention paid to the question of consent.
Failure to comply with the GDPR creates a significant risk for your business. For example a personal data breach could result in a ‘Stop Order’ forcing a shut down of all data processing activity. Organisations in breach of the GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater) for the most serious infringements. It is important to note that these rules apply to both controllers and processors and ‘clouds’ will not be exempt from GDPR enforcement.
It is not enough just to comply with these principles, you must be able to demonstrate compliance. This means having updated policies about how personal data is managed, responsibilities allocated, staff trained and systems audited. It also means bringing in technical measures to improve safety and security.
Under the GDPR there is a higher standard for consent. Consent is defined as a ‘freely given, specific, informed and unambiguous indication of a data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data to him or her’
Consent must be clear and provided in an intelligible and accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Organisations need to ensure that their technology systems to allow for demonstrating consent as well as easy withdrawal of consent.
Individuals have the right to object to the processing of their personal data for direct marketing purposes.
Under the GDPR, the supervisory authority needs to be notified of any data breach without undue delay and within 72 hours. Controllers must also notify data subjects of a data breach involving their personal data unless the breach is unlikely to result in a high risk for the rights and freedoms of the data subjects, or appropriate technical and organisational measures such as encryption were in place at the time of the breach.
Right of access
The right of access is substantially different under the GDPR. Everyone has the right to obtain confirmation as to whether or not personal data concerning them is being processed as well as details as to the purpose for which this data is processed.
The GDPR introduces a best practice recommendation that where possible, organisations should provide data subjects with remote access to a self-service system in order to be able to access this information.
Right to be forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase their personal data, stop any sharing of their data and potentially prevent third parties from processing the data too. The right to be forgotten is not an absolute right and there are certain grounds on which the right to be forgotten can be refused including the right to freedom of expression and information, or where the personal data is processed in the exercise or defence of legal claims.
Data Subject Rights
The full list of data subject rights introduced or strengthened by the GDPR are as follows:
GDPR introduces the right for an individual to receive their personal data and to have the right to transmit that data to another controller. This is not an absolute right and only applies in certain circumstances.
Privacy by design
Privacy by design requires data protection to be included in the designing of systems from the start and to be embedded in all data processing activities. The controller shall implement appropriate technical and organisational measures in an effective way in order to meet the requirements of this regulation and protect the rights of data subjects’ Only data absolutely necessary for the completion of its duties can be processed and access to personal data is limited to those who carry out the processing.
Information about how and why you process someone’s data is different under the GDPR. The information you provide to people about the way you process their data must be:
In addition to explaining how you collect personal data, your identity and how you intend to use the data, you will also need to specify:
It is recommended that current privacy notices are reviewed so that they comply with the GDPR.
For all the latest information about the GDPR please see the ICO website at https://ico.org.uk
Preparing for GDPR checklist
Our current procedures
When a client / customer supplies personal data to dsl, this is given to us in the form of a spreadsheet sent via a secure portal found on our website: www.dsluk.net outlining the name, address and contact details for the customers, together with details of the debt amount.
This data is then used to contact defaulters to collect debts.
We also send invoices and statements via email.
Secure Data Portal
Customers are issued with a unique reference number and password that enables the transfer of data via an encrypted portal, following safe receipt dsl carry out a GDPR compliance check of the data and then start the debt collection process.
DSL customers will still receive paper versions of invoices and statements, unless you request otherwise.
How does DSL use personal data?
In order to collect debts, DSL staff use personal data supplied to us in order to contact individuals and organisations via the following methods:
From time to time, it is necessary for DSL to share personal data with the following:
In order to ensure that we are GDPR compliant, we are compiling a risk register to identify any areas of potential risk for data breaches. As we have less than 250 employees, we will also document processing activities that:
• are not occasional; or
• could result in a risk to the rights and freedoms of individuals; or
• involve the processing of special categories of data or criminal conviction and offence data.
DSL Data Systems are managed and supported by Fathom, Fathom Security Policy accompanies this policy.
dsl have proved to be a vital service to our cashflow and credit control. Linda just gets on with it and flawlessly handles our invoicing and payment collection each month to ensure a smooth workflow for our business. I cannot recommend her high enough.
As a firm of Solicitors we use DebtSolve to collect invoice debts for our clients and to serve important Court documents.
I have no hesitation whatsoever in referring a debt to Debtsolve to collect. My experience of them is that they are very quick, proactive and thorough. They seem to treat each debt as though it were owed to them. My clients have reported that Debtsolve contact them with requests for more information and to give updates of progress.
I referred an old invoice debt to them recently for a client. Debtsolve collected the whole of the amount due within 24 hours of receiving my instruction.
“DSL provides a fast, easy and comprehensive reporting service to enable us to make good decisions rapidly when asked to start credit terms with a customer.
They recently helped us avoid a potential problem: the temptation to provide credit facilities to ensure a large conference booking, could have led to us chasing the payment, as the record on research showed poor results and CCJs. We didn’t lose the business but were able to request and receive payment in advance.
The reports also enable us to demonstrate to our insurers that we are taking due care when allowing payment on account”
“DSL have allowed me to relax with the monthly collection of a loan that I never thought I would ever see again. They have acted both professionally and personally by being a dependable and very friendly cornerstone to the recovery of my money which I just could not afford to lose. Many thanks to you all! I can sleep at night.”
I’m pleased to have been associated with DSL for many years now and still find them today as efficient and helpful as they were the first time I spoke to Linda and Mike Brooks around ten years ago. They offer afar better, more personal service than any other debt recovery company I have used in the past. You can be assured that they treat any debt you pass them as if it were their own and they will always go that extra mile to help you out. They have persevered with some very difficult customers I have given them over the years and they have still come through with full payment. A five star service from a very helpful, friendly and efficient five star team.”
The VMG Board would like to offer formal thanks for you all for delivering an excellent series of talks on [Debt Management within GDPR regulations], at our inaugural VMG Regional Roadshow.
Fourteen meetings, spread across the width and length of the UK was a huge ‘ask’. When coupled with the adverse weather conditions experienced during the first part of 2018 it was a much-appreciated sterling effort to fulfil the commitment that started as a char over a coffee at LVS.
Collecting veterinary debt throughout lockdown has been challenging to say the least. Several factors helped fuel debt growth: growth in pet ownership, car park consultations and treatment being carried out in practice while owners waited anxiously outside. That’s fine and the process worked in terms of treatment. The real problems occurred when it came time […]
Customers have access to debt information and answers to queries whenever they need it? That’s what this brief post is all about.The DSL digital office is now available free of charge, clients can access debtor records in their entirety 24/7, send us messages regarding individual customers, amend balances, withdraw or send new debts securely.As debt […]
Now that the dust has settled almost two years since the introduction of GDPR regulations, we’re beginning to get a better picture of how these changes have impacted the world of veterinary debt collection. In general terms, most veterinary practices bought into the spirit of the regulations, even though few really understood what it all […]
A career with us means being part of a standout business with a clear vision and strong values. We’ll give you everything you need to do a great job, and your contributions will be properly recognised, highly valued and well rewarded.Latest vacancies