This website uses cookies to store information on your computer. Some of these cookies are used for visitor analysis, others are essential to making our site function properly and improve the user experience. By using this site, you consent to the placement of these cookies. Click Accept to consent and dismiss this message or Deny to leave this website. Read our Privacy Statement for more.
Home | Print Page | Contact Us | Report Abuse | Sign In
News & blogs: Blogs

Blog: GDPR in credit and collections: getting through the early stages

12 July 2018  
Daniel Spenceley

Daniel Spenceley is the Credit Services Association’s Compliance Manager.


The introduction of new data protection law earlier this year has had a significant impact on businesses across the UK, including in the collections and purchase sector. The General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018 have brought in new and expanded requirements for companies handling personal data. CSA member companies have to share and hold vast amounts of customer data, much of it sensitive, as part of their core business, which meant they needed to make changes to ensure they were ready for the start of GDPR. Thus far, all indications are that our industry was well prepared for GDPR and we as the trade association put a lot of effort into helping members get to that position – producing and sharing detailed guidance; inviting expert guest speakers to our events; and hosting a series of webinars around key data protection issues.

The UK’s information commissioner, Elizabeth Denham, has made clear that 25 May 2018 was only the beginning. GDPR may have started to apply but that does not mean everything is 100% clear and that all firms are compliant. There is still work to be done. The CSA has therefore dedicated a whole stream to it at our UK Credit & Collections Conference on 13 September 2018.

One of the speakers delivering interactive sessions as part of the stream is Toni Vitale, a Partner and Head of Regulation, Data and Information at law firm Winckworth Sherwood. He provides legal advice to clients on data protection and privacy and has previously worked in-house for organisations such as IBM, Virgin Media, YouView TV and BGL Group (owners of He has also been a spokesperson on GDPR in the national media where he has highlighted the unnecessary flood of consent emails into consumers’ inboxes ahead of the 25 May 2018 implementation date. Previous attendees at CSA events will be familiar with Toni’s superb coverage of GDPR, demonstrating his expertise and knowledge by delivering highly informative presentations and workshops. Since Toni’s first presentation for the CSA back in 2014 we have asked him to return to our flagship events year on year due to the value attendees receive from attending his sessions.

At the conference, Toni will be looking at GDPR four months on from its implementation and assessing how industry, individuals and the regulator are adapting to the new requirements. He’ll also consider the regulator’s approach to enforcement under the new law, particularly around the increased potential penalties. And looking to what’s coming next, Toni will be taking a look at developments around the new E-Privacy Regulation.

Ongoing challenges with compliance

One of the sessions at the conference will focus specifically on the challenges with GDPR compliance and provide a practical case study of a Data Protection Officer who has been through the process so far. This will provide attendees with key insight into the day-to-day practicalities and demands of implementing and maintaining data protection compliance. As GDPR starts to become business-as-usual, consumer awareness and understanding will grow and evolve, so it is essential that firms and their DPOs are equipped to respond to challenges and requests efficiently and compliantly.

The GDPR stream will also present a valuable opportunity for members to share their experiences so far. It will be particularly interesting to hear from larger and smaller firms, to see how similar or different the impact and preparation has been.


The regulator’s response

There is a lot of interest in how the Information Commissioner’s Office (ICO) approaches the application of the new data protection laws. In the lead up to 25 May 2018, the ICO has indicated that it is not their intention, at least in the early stages, to dish out fines across every single breach of the new law; instead, they want to work with firms to help them comply. In fact, Elizabeth Denham has outlined her view in a recent blog. Of course,that does not mean the ICO will not be imposing fines; where there are blatant and deliberate or negligent high-risk breaches, they will act accordingly. The ICO has given firms a reasonable idea what their enforcement priorities will be in their draft Regulatory Action Policy, which outlines their approach to taking regulatory action under the new law.


Pre-implementation fears vs post-implementation reality

We will take a look at whether some of the initial fears specific to the collections sector have been realised in the opening months of GDPR application. For example, many members were preparing for an influx of subject access requests, with firms no longer permitted to charge a fee. A number of firms were putting teams in place in anticipation of an increase in requests, fearing that it would present a significant administrative challenge and potentially be exploited as a way of delaying the collection process. At this point, it remains to be seen whether this has been the case.

Another challenge for firms has been making sure that people actually understand what you’re doing with their data and why you’re processing it, and that you do actually have a valid reason to use it.  The new requirements to demonstrate compliance and to keep individuals informed has seen a vast amount of lengthy privacy notices landing in people’s inboxes, alongside a number of (potentially unnecessary) requests for consent, and it’s likely that the sheer volume of communications has in fact led to individuals knowing less about how their data is being used, rather than more.

With GDPR still such a hot topic and lots of areas still to understand, I look forward to seeing plenty of you in the sessions at the conference, identifying remaining areas of contention and sharing best practice, to make sure that we as an industry are positioned to maintain and demonstrate data protection compliance well into the future.



Back to news

Credit Services Association,
2 Esh Plaza, Sir Bobby Robson Way,
Great Park, Newcastle upon Tyne,
NE13 9BA Map

fenca iic aelp cyber

T: 0191 217 0775


Credit Services Association Limited 
Registered in England and Wales No. 00089614

CSA (Services) Ltd
Registered in England and Wales No. 05055685

Registered address:
2 Esh Plaza, Sir Bobby Robson Way, Great Park, Newcastle upon Tyne, NE13 9BA