Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    • jlfrs
    • By jlfrs 12th Mar 18, 2:00 PM
    • 68Posts
    • 23Thanks
    jlfrs
    GDPR anyone?
    • #1
    • 12th Mar 18, 2:00 PM
    GDPR anyone? 12th Mar 18 at 2:00 PM
    Hello all,

    I have never been comfortable with credit reference agencies sharing my personal data amongst themselves and in the case of Experian, selling it on (and subsequently having it put at risk through being hacked). I am wondering whether the upcoming GDPR regulations in May might curtail these practices - the fines could be enormous:

    https://www.eugdpr.org/

    Does anyone have the inside track?
Page 1
    • zx81
    • By zx81 12th Mar 18, 2:02 PM
    • 16,800 Posts
    • 17,812 Thanks
    zx81
    • #2
    • 12th Mar 18, 2:02 PM
    • #2
    • 12th Mar 18, 2:02 PM
    What is it you want to know? It's a big subject.
    • jlfrs
    • By jlfrs 12th Mar 18, 2:38 PM
    • 68 Posts
    • 23 Thanks
    jlfrs
    • #3
    • 12th Mar 18, 2:38 PM
    • #3
    • 12th Mar 18, 2:38 PM
    That GDPR will prevent credit agencies from collecting and sharing personal data without my permission in the main. According to what I've read, I could exercise my "right to be forgotten" and insist Experian et al delete my data completely.
    Same goes for insurance companies who share personal data between themselves.
    • zx81
    • By zx81 12th Mar 18, 2:45 PM
    • 16,800 Posts
    • 17,812 Thanks
    zx81
    • #4
    • 12th Mar 18, 2:45 PM
    • #4
    • 12th Mar 18, 2:45 PM
    It's unlikely to be that simple. It will depend on what basis the data is being collected and processed.

    An interesting Experian article here, that addresses some of that. http://www.experian.co.uk/crain/index.html#question11

    In particular, they reference the rights of others as an opposition to being forgotten.

    If you are able to exercise your right to be forgotten, it will probably mean no access to credit, as few mainstream lenders don't use CRAs. There's little practical difference between a poor credit history and no credit history, once you get past 18.
    • jlfrs
    • By jlfrs 12th Mar 18, 2:55 PM
    • 68 Posts
    • 23 Thanks
    jlfrs
    • #5
    • 12th Mar 18, 2:55 PM
    • #5
    • 12th Mar 18, 2:55 PM
    Appreciated ZX81. The thought of approaching companies and institutions to become a "non-person" does have a certain attraction! However, as it's permission-based as in "if you do not consent to our using your data in this way we cannot accept your application, etc" then I imagine it'll largely be business as usual, otherwise some industries simply couldn't continue to function.
    • AstroTurtle
    • By AstroTurtle 12th Mar 18, 3:03 PM
    • 142 Posts
    • 518 Thanks
    AstroTurtle
    • #6
    • 12th Mar 18, 3:03 PM
    • #6
    • 12th Mar 18, 3:03 PM
    Appreciated ZX81. The thought of approaching companies and institutions to become a "non-person" does have a certain attraction! However, as it's permission-based as in "if you do not consent to our using your data in this way we cannot accept your application, etc" then I imagine it'll largely be business as usual, otherwise some industries simply couldn't continue to function.
    Originally posted by jlfrs

    Consent is also one of multiple "Lawful Basis" for processing of data.


    They can say they have a "Legitimate Interest" in processing your data or a "Contractual".


    There's more to it than just Consent.
    • MEM62
    • By MEM62 12th Mar 18, 3:10 PM
    • 1,572 Posts
    • 1,193 Thanks
    MEM62
    • #7
    • 12th Mar 18, 3:10 PM
    • #7
    • 12th Mar 18, 3:10 PM
    That GDPR will prevent credit agencies from collecting and sharing personal data without my permission in the main. According to what I've read, I could exercise my "right to be forgotten" and insist Experian et al delete my data completely.
    Same goes for insurance companies who share personal data between themselves.
    Originally posted by jlfrs
    Then your understanding of how GDPR works is incorrect. You will have already given permission for your data to be passed to these organisations either as a 'data controller' or 'data processor' when you signed up to various credit agreements and financial services.

    You are correct in that you will have a theoretical right to ask for all data to be deleted but this will not apply to data that is held by organisations because they either (a) have a legal obligation to do so or (b) have a requirement to hold it in order to provide you with a product or service.

    The other thing that you will need to consider if you want to be completely 'forgotten' is how you will be expecting companies to provide you with financial services (loans, banking services and insurance etc) when your identity and credit history cannot be checked? In this respect you will cease to 'exist'. Fine if you want to live off the grid but most of us cannot.
    Last edited by MEM62; 12-03-2018 at 3:12 PM.
    • tenchy
    • By tenchy 12th Mar 18, 3:14 PM
    • 360 Posts
    • 113 Thanks
    tenchy
    • #8
    • 12th Mar 18, 3:14 PM
    • #8
    • 12th Mar 18, 3:14 PM
    A couple of things to look out for; how will this affect water companies credit checking you and reporting your account to the CRAs without your permission, given that there are no T&Cs or contract in connection with domestic water supply? And, will banks be forced to gain your EXPLICIT consent before they supply CATO information to the CRAs?


    Also, when GDPR comes in, you'll be able to apply for a SAR at no cost, so it would be a good idea to apply to the CRAs. That is, apply for a SAR instead of, or as well as, your credit report.


    Realistically I think there will be a whole host of exemptions that will permit the CRAs and others to carry on exactly as they are now. Data processing legislation is already shot through with get-out clauses and general vagueness, and that is set to continue.
    • camelot1971
    • By camelot1971 12th Mar 18, 4:05 PM
    • 704 Posts
    • 1,096 Thanks
    camelot1971
    • #9
    • 12th Mar 18, 4:05 PM
    • #9
    • 12th Mar 18, 4:05 PM
    Banks have a legal obligation to keep records for 5 years for the purposes of financial crime prevention, so you won't be getting any data deleted for at least that long.

    After that point, you still won't have much luck under the right to be forgotten as firms will still be able to retain data for commercial reasons i.e. if you ever defaulted they can keep that data for as long as it's relevant to them.
    • Brooker Dave
    • By Brooker Dave 12th Mar 18, 5:16 PM
    • 4,899 Posts
    • 3,147 Thanks
    Brooker Dave
    It's unlikely to be that simple. It will depend on what basis the data is being collected and processed.

    An interesting Experian article here, that addresses some of that. http://www.experian.co.uk/crain/index.html#question11

    In particular, they reference the rights of others as an opposition to being forgotten.
    Originally posted by zx81
    Well they would say that, would they not?

    It seems under GDPR consent to share and process data has to be asked for, not just some click box of hidden T&Cs.
    "Love you Dave Brooker! x"

    "i sent a letter headded sales of god act 1979"
    • zx81
    • By zx81 12th Mar 18, 5:18 PM
    • 16,800 Posts
    • 17,812 Thanks
    zx81
    Well, yes, they would say that because that's what they're saying.

    If they go the consent route, yes, it needs to be asked for. Explicit and unambiguous is how it's referred to.

    But of course, they don't have to go the consent route and may choose another basis.
    Last edited by zx81; 12-03-2018 at 5:20 PM.
    • nic_c
    • By nic_c 13th Mar 18, 12:17 AM
    • 1,446 Posts
    • 791 Thanks
    nic_c
    That GDPR will prevent credit agencies from collecting and sharing personal data without my permission in the main. According to what I've read, I could exercise my "right to be forgotten" and insist Experian et al delete my data completely.
    Same goes for insurance companies who share personal data between themselves.
    Originally posted by jlfrs
    Nope, won't work. They can have it for the main legitimate reason of their business, they just need your permission to use it for other reasons, so everyone should be getting a consent letter for the selling on, but not for the holding of the data for the main purpose of the business, i.e. maintain your credit file.
    • MEM62
    • By MEM62 13th Mar 18, 11:19 AM
    • 1,572 Posts
    • 1,193 Thanks
    MEM62
    And, will banks be forced to gain your EXPLICIT consent before they supply CATO information to the CRAs?
    Originally posted by tenchy
    Interestingly, we are in the process of data mapping and setting up the requisite agreements with outside parties with whom we share data and our bankers are the only commercial organisation thus far not to play ball. Their current stance is that they work to the privacy and data handling rules encompassed within financial regulations and that is enough. I think our lawyers have a different view and I await the outcome of that discussion with interest.
    • jlfrs
    • By jlfrs 15th Mar 18, 2:04 PM
    • 68 Posts
    • 23 Thanks
    jlfrs
    My guess is that a bunch of companies and organisations for whom GDPR compliancy is either a long drawn out process or too complex and expensive to implement will rely on sandbagging. I suppose the question is what happens if they don't cooperate and how far is anyone willing to go?
    • Mee
    • By Mee 15th Mar 18, 2:32 PM
    • 1,090 Posts
    • 1,039 Thanks
    Mee
    Interesting thread at:
    https://www.consumeractiongroup.co.uk/forum/showthread.php?477750-GDPR-potential-to-hit-DCA-and-Credit-Reference-Agencies
    • MEM62
    • By MEM62 16th Mar 18, 10:30 AM
    • 1,572 Posts
    • 1,193 Thanks
    MEM62
    My guess is that a bunch of companies and organisations for whom GDPR compliancy is either a long drawn out process or too complex and expensive to implement will rely on sandbagging. I suppose the question is what happens if they don't cooperate and how far is anyone willing to go?
    Originally posted by jlfrs
    Frankly, that doesn't work for us. In order for us to be compliant we have to have agreements in place.
    • deletemydata
    • By deletemydata 28th Mar 18, 12:32 PM
    • 2 Posts
    • 0 Thanks
    deletemydata
    Hi,

    GDPR applies to every single company or organisation in the UK regardless of size. There are an awful lot of very nervous people panicking about it at the moment because what companies don't want are the ICO getting complaints and then knocking at their doors and checking them out. I am new on this site but work in GDPR full time. I left another forum post here a few minutes ago about the scope of GDPR for an individual and it may help (still learning how to navigate around on here)
    GDPR Data Analyst and data privacy gurus
    • Tarambor
    • By Tarambor 28th Mar 18, 5:09 PM
    • 2,833 Posts
    • 2,051 Thanks
    Tarambor
    A couple of things to look out for; how will this affect water companies credit checking you and reporting your account to the CRAs without your permission, given that there are no T&Cs or contract in connection with domestic water supply?
    Originally posted by tenchy
    I think you'll find there are T&Cs for your water supply. Here's the one for my water company:

    https://www.yorkshirewater.com/sites/default/files/Charges%20scheme%202017-18v3.pdf
    • tenchy
    • By tenchy 28th Mar 18, 5:54 PM
    • 360 Posts
    • 113 Thanks
    tenchy
    I think you'll find there are T&Cs for your water supply. Here's the one for my water company:

    https://www.yorkshirewater.com/sites/default/files/Charges%20scheme%202017-18v3.pdf
    Originally posted by Tarambor

    No. Couldn't find anything about T&Cs in that document.


    It does seem a difficult one to get across, but for the supply of water there are no T&Cs; definitely not. You agree to nothing. They are obliged to supply you, and you are obliged to pay. That's it. Regarding their use of credit reference agencies, they proceed without your consent.
    • Uxb
    • By Uxb 28th Mar 18, 6:24 PM
    • 1,049 Posts
    • 1,110 Thanks
    Uxb
    Hi,

    GDPR applies to every single company or organisation in the UK regardless of size.
    Originally posted by deletemydata
    Not to mention nonprofit making sports and social clubs and their ilk who can ill afford someone willing to volunteer so sort out the necessaries.
    Then there are the hobby online forums all of whom will also be caught by this.

    Many might just decide to shut down instead.
    Another "success" story for the EU from whose stable the legislation came.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

2,243Posts Today

8,500Users online

Martin's Twitter
  • It's the start of mini MSE's half term. In order to be the best daddy possible, Im stopping work and going off line? https://t.co/kwjvtd75YU

  • RT @shellsince1982: @MartinSLewis thanx to your email I have just saved myself £222 by taking a SIM only deal for £7.50 a month and keeping?

  • Today's Friday twitter poll: An important question, building on yesterday's important discussions: Which is the best bit of the pizza...

  • Follow Martin