GDPR anyone?

jlfrs · 12 March 2018 at 3:00PM

Hello all,

I have never been comfortable with credit reference agencies sharing my personal data amongst themselves and in the case of Experian, selling it on (and subsequently having it put at risk through being hacked). I am wondering whether the upcoming GDPR regulations in May might curtail these practices - the fines could be enormous:

https://www.eugdpr.org/

Does anyone have the inside track?

[Deleted User] · 12 March 2018 at 3:02PM

What is it you want to know? It's a big subject.

jlfrs · 12 March 2018 at 3:38PM

That GDPR will prevent credit agencies from collecting and sharing personal data without my permission in the main. According to what I've read, I could exercise my "right to be forgotten" and insist Experian et al delete my data completely.
Same goes for insurance companies who share personal data between themselves.

[Deleted User] · 12 March 2018 at 3:45PM

It's unlikely to be that simple. It will depend on what basis the data is being collected and processed.

An interesting Experian article here, that addresses some of that. http://www.experian.co.uk/crain/index.html#question11

In particular, they reference the rights of others as an opposition to being forgotten.

If you are able to exercise your right to be forgotten, it will probably mean no access to credit, as few mainstream lenders don't use CRAs. There's little practical difference between a poor credit history and no credit history, once you get past 18.

jlfrs · 12 March 2018 at 3:55PM

Appreciated ZX81. The thought of approaching companies and institutions to become a "non-person" does have a certain attraction! However, as it's permission-based as in "if you do not consent to our using your data in this way we cannot accept your application, etc" then I imagine it'll largely be business as usual, otherwise some industries simply couldn't continue to function.

AstroTurtle · 12 March 2018 at 4:03PM

jlfrs wrote: »

Appreciated ZX81. The thought of approaching companies and institutions to become a "non-person" does have a certain attraction! However, as it's permission-based as in "if you do not consent to our using your data in this way we cannot accept your application, etc" then I imagine it'll largely be business as usual, otherwise some industries simply couldn't continue to function.

Consent is also one of multiple "Lawful Basis" for processing of data.

They can say they have a "Legitimate Interest" in processing your data or a "Contractual".

There's more to it than just Consent.

MEM62 · 12 March 2018 at 4:10PM

jlfrs wrote: »

That GDPR will prevent credit agencies from collecting and sharing personal data without my permission in the main. According to what I've read, I could exercise my "right to be forgotten" and insist Experian et al delete my data completely.
Same goes for insurance companies who share personal data between themselves.

Then your understanding of how GDPR works is incorrect. You will have already given permission for your data to be passed to these organisations either as a 'data controller' or 'data processor' when you signed up to various credit agreements and financial services.

You are correct in that you will have a theoretical right to ask for all data to be deleted but this will not apply to data that is held by organisations because they either (a) have a legal obligation to do so or (b) have a requirement to hold it in order to provide you with a product or service.

The other thing that you will need to consider if you want to be completely 'forgotten' is how you will be expecting companies to provide you with financial services (loans, banking services and insurance etc) when your identity and credit history cannot be checked? In this respect you will cease to 'exist'. Fine if you want to live off the grid but most of us cannot.

tenchy · 12 March 2018 at 4:14PM

A couple of things to look out for; how will this affect water companies credit checking you and reporting your account to the CRAs without your permission, given that there are no T&Cs or contract in connection with domestic water supply? And, will banks be forced to gain your EXPLICIT consent before they supply CATO information to the CRAs?

Also, when GDPR comes in, you'll be able to apply for a SAR at no cost, so it would be a good idea to apply to the CRAs. That is, apply for a SAR instead of, or as well as, your credit report.

Realistically I think there will be a whole host of exemptions that will permit the CRAs and others to carry on exactly as they are now. Data processing legislation is already shot through with get-out clauses and general vagueness, and that is set to continue.

[Deleted User] · 12 March 2018 at 5:05PM

Banks have a legal obligation to keep records for 5 years for the purposes of financial crime prevention, so you won't be getting any data deleted for at least that long.

After that point, you still won't have much luck under the right to be forgotten as firms will still be able to retain data for commercial reasons i.e. if you ever defaulted they can keep that data for as long as it's relevant to them.

Brooker_Dave · 12 March 2018 at 6:16PM

Deleted_User wrote: »

It's unlikely to be that simple. It will depend on what basis the data is being collected and processed.

An interesting Experian article here, that addresses some of that. http://www.experian.co.uk/crain/index.html#question11

In particular, they reference the rights of others as an opposition to being forgotten.

Well they would say that, would they not?

It seems under GDPR consent to share and process data has to be asked for, not just some click box of hidden T&Cs.

[Deleted User] · 12 March 2018 at 6:18PM

Well, yes, they would say that because that's what they're saying.

If they go the consent route, yes, it needs to be asked for. Explicit and unambiguous is how it's referred to.

But of course, they don't have to go the consent route and may choose another basis.

GDPR anyone?

Comments

Categories

Get our FREE Weekly email full of deals & guides - and it’s spam-free