PEER-TO-PEER lenders are starting to prepare for new rules on protecting data.
The General Data Protection Regulation (GDPR) will replace the Data Protection Act (DPA) from 25 May 2018, requiring customers to ‘opt in’ to any form of consent rather than automatically being opted in.
There are also more privacy protections, with customers able to remove consent or have their data erased. Websites need to ensure they are protecting users’ personal information, including IP addresses and bio-metric passwords.
All firms will need to check how data is recorded and processed and a data protection officer must also be appointed to monitor and report any concerns to senior management.
Read more: Personal data, handle with care
A RateSetter spokesperson said its preparations were on track and an existing employee had been appointed as a data protection officer, while Lendy said its head of compliance would monitor the project.
“GDPR will ensure that firms use plain English when writing and maintaining such documents as their privacy statement while ensuring total transparency regarding the consent customers provide the firm to record and use their ‘personal and sensitive’ data,” a spokesperson said.
“The GDPR regime will have a greater impact on banks as people are ever more fearful of the data banks hold about them.
“Customers of P2P feel more invested as part of the platforms they invest in and the trust is somewhat greater. However, we naturally are aware of the increased policy that we have needed to adopt and are conscious of the increased cost this will lead to for platforms as bureaucracy tends to attract.”
Alison Deighton, head of data protection and privacy at law firm TLT, said accountability will be key to GDPR.
“Regulators have strong audit rights that can be exercised at any time,” she said.
“Above all, lenders need to make sure that they have put in place an appropriate governance structure for compliance across the business, combined with robust policies and procedures that are not only implemented but regularly monitored and enforced.
“These policies and escalation processes need to be trained through to all employees to help lenders avoid inadvertent breaches due to lack of employee awareness.
“Data mapping is also an important exercise to help lenders build the data processing records they are required to keep and to ensure compliance with transparency obligations and individuals’ rights.”