In this third blog in the series about data and privacy, I talk about fraud prevention and credit scoring. Because even if you use data for fraud prevention and credit scoring, you have to deal with the privacy of consumers – and so, you have to deal with the new European legislation (GDPR). What do you need to know as a credit manager?
What is changing?
First, it is good to know that not much will change for fraud prevention and credit scoring. Companies were already bound to the code of conduct of the NHV, in which many of the same rules are included. The GDPR does make this code of conduct more explicit. This means that companies not only need to meet the requirements, but also need to document and demonstrate this. If not, large fines can be imposed.
I briefly explain what exactly is expected of you as a credit manager in order to ensure the privacy of consumers and avoid fines.
Basis for collecting personal data
Legally, everything starts with the legitimacy of the purpose for which you collect and process personal data. This applies to all processing of personal data, whether these come from public sources or your own system. With every processing, you need to wonder: why does the interest of your organisation (protection against payment risks and fraud) weigh heavier than the privacy of the person in question? You need to be able to justify this to the Dutch Data Protection Authority (AP). After all, the AP is more lenient with fraud prevention and payment risk purposes than with marketing purposes.
Permission from consumers
The new law requires you to ask consumers for permission to collect and process their data, and to do so in a clear and explicit way. This means that a tenant for whom you perform a background check must actively agree to this. Not in the small print, but actively, and they need to be aware of what you are doing with that data and how long you will use it for. Naturally, they can also refuse.
Accessing, correcting and deleting data
The consumer must also have the right to access, change, and remove your data and you must be able to transfer it. This means that as a company, you need to know where that data comes from and being able to retrieve them from your system and show them to the consumer at any time.
Documentation obligation
Finally, the law has been made stricter in terms of the documentation obligation for companies. You are required to accurately keep track of what you do with that data and where it comes from. You may not store that data for longer than necessary for the purpose you are using it for and you must be able to demonstrate that.
What does Matrixian Group do?
Matrixian Group collects all data from public sources. We do not purchase data from other parties. We document exactly what we do with the data and where it comes from. We also conclude the required agreements with the parties for whom we process data at a large scale.
So in essence, not much will change for credit managers when the GDPR takes effect on 25 May. As long as you have a good privacy policy and document this properly, you are safe when the Dutch Data Protection Authority comes knocking.