UK business owners, websites and organisations will have to start adhering to the requirements of the EU General Data Protection Regulation (GDPR) that officially come into force on May 25th 2018.
GDPR is designed to increase data privacy laws across Europe (as while the UK is leaving the EU, it still adopts incoming EU legislation after Brexit) as well as reshape the way websites and companies approach data protection.
The financial consequences of not becoming GDPR complaint once the new legislation comes into force are significant, and could sorely affect the online loan industry.
For loan websites and specifically brokers who fail to meet the new standards on data regulations, could face a fine of up to 20 million euros (previously capped at 500,000 euros) or the equivalent of 4 per cent of turnover, whichever is the greater amount. But in what ways can loans websites become GDPR ready? We take a look at some of the ways how.
To make a loan website GDPR complaint, any forms on websites will no longer be allowed to have pre-ticked boxes on forms. This is because it is not considered as actual consent, instead you will need to provide an opt in tick box.
Potential applicants and customers should also have a very clear understanding of what happens when they submit their details. This is a particularly grey area for comparison websites and brokers such as Money.co.uk and All The Lenders who do not you deal directly with the user, but recommend the loan products of others. So whether applying for a mortgage or short term loan, the journey for the customer needs to be much clear, with customer data being sent to multiple companies as a last resort.
It is encouraged that all loans websites have an SSL (a Single Socket Layer) certificate (you will know whether or not a website has a SSL certificate as you will see a ‘padlock’ symbol visibly present). It gives you a https in the address bar which makes your content secure between servers online and therefore helps to reduce the threat of security attacks and data breaches.
This is particularly important for companies who accept online payments on their websites, and therefore will most likely be using some form of payment gateway for these transactions, and who could be collecting personal data before they are being passed onto the payment gateway, making SSL encryption almost certainly needed.
SSL certificates for a website are not the only ways to increase security and make a loan website GDPR compliant. For example, having specific IDs for customers can also help. his means that should a data breach occur, the exact name of the customer will remain unavailable to scammers as their data will be protected under a specific ID.
The policy itself should detail fully exactly how long they will be storing data for, as well as introducing web processes so that all personal information is then removed after a certain amount of time (e.g after 90 days), this means that a loan website will also have to remove this information if a customer requested that a company does so.
Notifying about data breaches
Under these new EU regulations, it will now be a duty of all websites and organisations to report particular types of data breaches to the Information Commissioner’s Office website (ICO), or the company could receive a huge fine.
Until now, loan companies and providers would also keep old applicant’s details on file, even if they were declined. Whilst there was no obligation to delete their information, this is now compulsory if the customer requests that you do so. As a lender or broker, if someone asks to be removed from your database, you must do so under new GDPR legislation and there must be no trace left.