P2P lenders prepared for new data rules
PEER-TO-PEER lending platforms have welcomed the new General Data Protection Regulation (GDPR) and confirmed that their processes meet with the new EU standard.
“We welcome any measures which safeguard personal information, and very much see GDPR as a significant force for good – not least in recent times, where data has too often been dubiously acquired and unscrupulously used,” said a spokesperson for Lending Works.
A RateSetter spokesperson told Peer2Peer Finance News that the firm “has implemented a comprehensive cross-departmental project to ensure [we are] compliant with new data protection legislation,” while Landbay chief executive and co-founder John Goodall said that “we view GDPR as an opportunity to further build customer trust and confidence and continue to offer quality information to our customers.”
However, a legal expert has warned that GDPR compliance is an ongoing concern which may raise new issues in the future.
Read more: Personal data: Handle with care
Jonathan Segal, head of fintech and alternative finance at law firm Fox Williams, said that P2P platforms should “be ready for an increase in subject access requests” from both customers and staff and have a policy in place to deal with these.
“Customer data should be encrypted, in particular sensitive customer data such as bank account and card details,” Segal said. “If you lose that data (e.g. through a hack), by encrypting the data you will have minimised your risks and reduced any potential liability from the breach.
“You would also need to look at your data retention policy and regulatory requirements surrounding retention of data. If you do not have a policy then you should formulate one. You will reduce risk of fines by the Information Commissioner’s Office if you have appropriate data retention policies in place and you follow them.”
GDPR is an EU-wide directive that came into effect on 25 May. It is the most sweeping data protection law to have been introduced since the arrival of the internet and forces every business in the EU to adhere to certain standards with regards to data storage and usage. This means that companies require explicit permission from customers to add them marketing lists, and they must prove that they can effectively secure sensitive customer data.
Read more: Two in five SMEs unprepared for data compliance laws
However, a number of platforms told Peer2Peer Finance News that they do not expect the new regulations to have a big impact on their business growth.
“If someone doesn’t want you to engage they are unlikely to have ever become a new customer,” said Ian Anderson, chief operating officer at ArchOver. “The biggest challenge has been working with external suppliers to ensure they are compliant and handle our data properly.”
RateSetter said that it relied on its referral programmes to win new customers, and not email marketing campaigns. Meanwhile, Landbay’s Goodall said that he was “not worried” about losing customers through GDPR “as our customer acquisition strategy is not heavily reliant on email marketing”.
GDPR was approved by the EU Parliament on 14 April 2016 and all EU companies were given a compliance deadline of 25 May 2018. Failure to adhere to the law can result in a fine of up to €20m (£17.5m). It will replace the UK’s Data Protection Act of 1998, and will become a permanent part of UK law, despite Brexit.
Read more: Business groups herald plans for post-Brexit data sharing
This article featured in the June edition of Peer2Peer Finance News. Click here to read the magazine online.