GDPR Guide for Dealers
What you need to know
General Data Protection Regulation.
25th May 2018.
GDPR replaces the Data Protection Act 1998. This is in response to rapid technological developments which have changed the scale and method of collecting and sharing personal data. There will now be a stronger data protection framework, backed by stronger enforcement powers, aimed at managing the risks associated with large scale data sharing in the online space.
It applies to any business handling the personal data of individuals. The GDPR applies to ‘controllers’ and ‘processors’. A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller.
GDPR applies to ‘personal data’ (such as name, contact details, address) and ‘special categories of personal data’ (such as health information, race or ethnicity, political opinions and sexual orientation).
There are six principles you should follow when collecting and using personal data:
- Collect and use personal information lawfully and fairly.
- Personal information should be collected and used for clear, legitimate purposes.
- The only personal information that should be collected and used is that which is necessary for the purposes for which it was collected.
- Personal information must be accurate and kept up-to-date.
- Personal information should not be kept for longer than is necessary to fulfil the purposes it was collected.
- Personal information should be protected from unauthorised use and against accidental loss, destruction or damage.
The individual has nine rights around what can and can’t be done with their personal data:
- The right to be informed – this means you must provide, at the point of collecting the data, a privacy or verbal notice informing the individual of how their personal information will be used.
- The right to access their personal information – this means that the individual has the right to know what information you hold on them, and to request a copy of it. This information must be provided free of charge.
- The right to get inaccurately recorded information corrected.
- The right to erasure – this means that the individual can request that their personal data is deleted from your records, also referred to as ‘the right to be forgotten’.
- The right to restrict how their personal information is used – this means that the individual has the right to object to how you use their personal information, including for direct marketing purposes.
- The right to receive their personal information in a legible and transferable format.
- The right to object to the use of their personal information.
- Rights related to automated decision making including profiling – this means the individual has the right to refuse their personal information being used to make a decision based on an automatic process without human intervention.
- The right to compensation – this means the individual has the right to compensation if you breach GDPR requirements and it results in them suffering any harm.
The Information Commissioner’s Office or ICO. You can find out more about the ICO and their Guide to the General Data Protection Regulation here.
If you find that you have breached the GDPR rules, you must inform the ICO within 72 hours.
The ICO can take the following enforcement action after investigating a data breach:
- Issue a warning notice;
- Issue a disapproval notice;
- Order you to notify the affected individuals about the personal data breach; and/or
- Issue you with a fine of up to 20 million euros or up to 4% of your annual turnover.
- Access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- alteration of personal data without permission; and
- loss of availability of personal data.
Evolution Funding’s GDPR commitments to our dealer partners
Evolution Funding is currently undertaking a companywide project on GDPR to ensure that we are ready for the changes in 2018. The answers below are reflective of our current position on a number of key areas identified in GDPR.
This will be updated as we move through this project. If there is anything else you require clarification on, please contact your account manager.
Our 3rd party funders; the FCA; collection agencies and enforcement agencies; 3rd party IT providers and credit reference agencies.
Currently under review. Existing notices displayed on our website and are due to be updated before May 2018.
This will be in place by the end of May 2018.
Periodic updates will be made and communicated in your Dealer Operating Agreement.
It may sometimes be necessary to transfer personal information overseas. When this is required information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of GDPR.
Data/systems can be accessed outside of the EU.
On our premises and on 3rd party premises in the UK.
We do not use a cloud for storage.
It will be processed by 32 funders, who are all based within the UK, are authorised and regulated by the FCA, and have notifications as a data controller with the ICO. We will be contacting them for clarification on any data taken outside the EU.
Internal/external audit; automated systems monitoring; antivirus software; disaster recovery plan; segmented access control; incident response plans; awareness and training.
Through our privacy notices.
Experian, Equifax, Call Credit and our panel of funders.
Yes, we have a Risk and Compliance Committee.
We have an internal breaches system open to all staff. We also hold a separate breaches register. Any significant data breach will be escalated to the DPO for investigation with compliance and reported to the ICO where necessary.
Internal and external audits; annual management data assertions.
Yes, our Chief Operating Officer Lee Streets.
We are currently producing a GDPR training course for all staff and a workshop for managers.
These have been completed for each department and will be reviewed annually.
Yes, these will be handled, using a defined process, by our complaints department.
The content of this guide is for guidance purposes only and does not constitute any form of advice on which you are entitled to rely. If you are in any way uncertain as to your legal rights then you must take independent legal advice. Evolution Funding Limited accepts no liability or responsibility for any reliance you may place on this guide.