GDPR Guide for Dealers

GDPR Guide for Dealers

What you need to know

What does GDPR stand for?

General Data Protection Regulation.

When does the law surrounding personal data protection change?

25th May 2018.

What is changing?

GDPR replaces the Data Protection Act 1998. This is in response to rapid technological developments which have changed the scale and method of collecting and sharing personal data. There will now be a stronger data protection framework, backed by stronger enforcement powers, aimed at managing the risks associated with large scale data sharing in the online space.

Who does GDPR apply to?

It applies to any business handling the personal data of individuals. The GDPR applies to ‘controllers’ and ‘processors’. A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller.

What types of data does GDPR apply to?

GDPR applies to ‘personal data’ (such as name, contact details, address) and ‘special categories of personal data’ (such as health information, race or ethnicity, political opinions and sexual orientation).

What are my responsibilities under GDPR?

There are six principles you should follow when collecting and using personal data:

  1. Collect and use personal information lawfully and fairly.
  1. Personal information should be collected and used for clear, legitimate purposes.
  1. The only personal information that should be collected and used is that which is necessary for the purposes for which it was collected.
  1. Personal information must be accurate and kept up-to-date.
  1. Personal information should not be kept for longer than is necessary to fulfil the purposes it was collected.
  1. Personal information should be protected from unauthorised use and against accidental loss, destruction or damage.
What are the individual’s rights under GDPR?

The individual has nine rights around what can and can’t be done with their personal data:

  1. The right to be informed – this means you must provide, at the point of collecting the data, a privacy or verbal notice informing the individual of how their personal information will be used.
  1. The right to access their personal information – this means that the individual has the right to know what information you hold on them, and to request a copy of it. This information must be provided free of charge.
  1. The right to get inaccurately recorded information corrected.
  1. The right to erasure – this means that the individual can request that their personal data is deleted from your records, also referred to as ‘the right to be forgotten’.
  1. The right to restrict how their personal information is used – this means that the individual has the right to object to how you use their personal information, including for direct marketing purposes.
  1. The right to receive their personal information in a legible and transferable format.
  1. The right to object to the use of their personal information.
  1. Rights related to automated decision making including profiling – this means the individual has the right to refuse their personal information being used to make a decision based on an automatic process without human intervention.
  1. The right to compensation – this means the individual has the right to compensation if you breach GDPR requirements and it results in them suffering any harm.
Who oversees the GDPR rules?

The Information Commissioner’s Office or ICO. You can find out more about the ICO and their Guide to the General Data Protection Regulation here.

What are the consequences of non-compliance under GDPR?

If you find that you have breached the GDPR rules, you must inform the ICO within 72 hours.

The ICO can take the following enforcement action after investigating a data breach:

  • Issue a warning notice;
  • Issue a disapproval notice;
  • Order you to notify the affected individuals about the personal data breach; and/or
  • Issue you with a fine of up to 20 million euros or up to 4% of your annual turnover.
What are examples of personal data breaches?
  • Access by an unauthorised third party;
  • deliberate or accidental action (or inaction) by a controller or processor;
  • sending personal data to an incorrect recipient;
  • computing devices containing personal data being lost or stolen;
  • alteration of personal data without permission; and
  • loss of availability of personal data.

Evolution Funding’s GDPR commitments to our dealer partners

Evolution Funding is currently undertaking a companywide project on GDPR to ensure that we are ready for the changes in 2018. The answers below are reflective of our current position on a number of key areas identified in GDPR.

This will be updated as we move through this project. If there is anything else you require clarification on, please contact your account manager.

Privacy Notices
What other parties may have access to the data or may have this data shared with them?

Our 3rd party funders; the FCA; collection agencies and enforcement agencies; 3rd party IT providers and credit reference agencies.

Our privacy notices, provided to data subjects regarding our use of their data, including its use for marketing, surveying the client and analysis.

Currently under review. Existing notices displayed on our website and are due to be updated before May 2018.

Do you subcontract any services outside the EU who may have access to this data?


Contracts will be updated to comply with GDPR, to include clear responsibilities and the purpose and use of the data?

This will be in place by the end of May 2018.

When will these updates be made and communicated to dealers?

Periodic updates will be made and communicated in your Dealer Operating Agreement.

Do you buy or sell databases to third parties?


Data Location
If data is processed outside the UK, what approach will we take to ensure customers are advised on this in our terms of privacy notice, and what contractual documentation will we have in place to cover these transfers?

It may sometimes be necessary to transfer personal information overseas. When this is required information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of GDPR.

Data/systems can be accessed outside of the EU.

Where is the data stored?

On our premises and on 3rd party premises in the UK.

We do not use a cloud for storage.

Where will data be hosted and processed by us or those acting on our behalf?

It will be processed by 32 funders, who are all based within the UK, are authorised and regulated by the FCA, and have notifications as a data controller with the ICO. We will be contacting them for clarification on any data taken outside the EU.

Organisation’s security measures we have in place?

Internal/external audit; automated systems monitoring; antivirus software; disaster recovery plan; segmented access control; incident response plans; awareness and training.

How will we notify customers of these third-party processors in order to comply with GDPR?

Through our privacy notices.

Details of our agents and subcontractors currently involved in the processing of personal data provided by you?

Experian, Equifax, Call Credit and our panel of funders.

Data Protection
Do you prepare for regular compliance audits or reviews to identify and fix issues?

Yes, we have a Risk and Compliance Committee.

What processes are in place for data breaches?

We have an internal breaches system open to all staff. We also hold a separate breaches register. Any significant data breach will be escalated to the DPO for investigation with compliance and reported to the ICO where necessary.

What processes are in place for testing, assessing and evaluating the effectiveness of technical and organisation measures for ensuring the security of processing?

Internal and external audits; annual management data assertions.

Have you appointed a Data Protection Officer (DPO)?

Yes, our Chief Operating Officer Lee Streets.

Have all staff received GDPR awareness training?

We are currently producing a GDPR training course for all staff and a workshop for managers.

Have you made preparations for implementing and performing Data Protection Impact Assessments?

These have been completed for each department and will be reviewed annually.

In line with GDPR requirements, including the right to be forgotten and subject data access requests, have we prepared, documented and communicated processes for managing subject data access requests?

Yes, these will be handled, using a defined process, by our complaints department.

The content of this guide is for guidance purposes only and does not constitute any form of advice on which you are entitled to rely. If you are in any way uncertain as to your legal rights then you must take independent legal advice. Evolution Funding Limited accepts no liability or responsibility for any reliance you may place on this guide.