Direct Debit and GDPR – what are the implications?

Data protection is one of the key themes of the 21st century. There is so much information about us as individuals, held in different formats and by different businesses and organisations, that it is no wonder we have rules in place to protect it.

In May 2018, the General Data Protection Regulation comes into force. GDPR, as it’s referred to, introduces new, tougher, rules about how organisations can store and use personal data – so how will it affect organisations and what are the key changes from a Direct Debit point of view?

Why has GDPR been introduced?

GDPR is an EU regulation, introduced to tighten up data protection across the EU. Any organisation within the EU controlling or processing data will have to comply with it. While the UK is set to leave the EU in 2019, organisations in the UK need to be compliant from 25^th May 2018, so Brexit is not an excuse to do nothing. Even after the UK has left the EU, any organisation which might be handling data relating to an EU citizen will need to comply with GDPR.

Who does GDPR apply to?

Organisations that control and process personal data will have to comply with GDPR. Controllers are in charge of the information in their possession and how it is processed. Processors carry out the processing on behalf of a controller. Organisations can be both controller and processor. If you are a controller, and another organisation – such as a Direct Debit Bureau – carries out processing on your behalf, you, as the controller, have additional responsibilities to make sure your contracts with your processors are also GDPR-compliant.

Direct Debit – who is the controller and who is the processor?

In the context of Direct Debit and GDPR, the organisations collecting data on Direct Debit Instructions are data controllers and each will need to be compliant as a data controller with the new GDPR regime. If you use a Direct Debit Bureau, such as us here at Clear Direct Debit, the bureau will be a data processor.

Data controllers will have to make sure not only that their own processes are compliant but that the data processors are also compliant. Data processors have their own rules to comply with – for example, keeping records of data processing activities – and responsibilities if there is a breach.

What about passing data to processors?

“Data” includes a wide range of information and could include bank details in certain circumstances. In the context of a Direct Debit, the information will be passed from the Service User – the data controller – to the bank via Bacs. This is to enable the fulfilment of the contract that the customer has entered into with the Service User. It’s going to be as important as ever to ensure that you follow good data protection principles as far as holding and storing data are concerned.

If you use a Direct Debit Bureau, make sure you are only passing relevant and necessary information on to the Bureau. In addition, a data controller should ensure that data passed to the bureau is done in a secure way so that the data is not exposed or vulnerable. GDPR and collecting Direct Debits are closely linked.

What about keeping data up to date?

Under GDPR, as is currently the case, organisations are urged to ensure that the data they hold is kept up-to-date and accurate. With regard to Direct Debits, your Bacs reports, such as the ADDACS report, will help you do this and, as per the Bacs rules, these reports should be actioned in a timely manner.

What else do data controllers need to know about?

The GDPR is designed to give individuals far more control over the data that is held about them by organisations. Businesses will no longer be able to charge individuals for a subject access request. Individuals will have the right to see what is being held about them and to have inaccuracies in the data corrected. Crucially, the process for an individual to withdraw their consent to data being processed (for example, for marketing purposes) has been simplified, too.

Direct Debit and GDPR – does it really matter?

The GDPR is a big deal – if only because of the size of the penalties that can now be imposed by organisations that don’t comply. There are 2 levels of fine, depending on the type of infringement – but even the lowest level can be the higher of either 10 million euros or 2% of an organisation’s worldwide annual revenue.

The higher level is the higher of €20 million or 4% of the worldwide annual revenue of the prior financial year. In addition to the penalties, the GDPR imposes stricter rules on organisations about how they handle breaches, including a 72-hour limit on analysing the damage caused by a breach before making a public statement.

Ultimately, the GDPR is about taking a responsible approach to the collection, storage and processing of personal information. If you make sure you use a responsible Direct Debit Bureau which in turn takes its data protection responsibilities seriously and takes a careful approach to pass information securely, you will be well on the way to complying with GDPR.

GDPR is happening and all organisations in the UK need to be ready for it – whether you’re a business, a charity or a membership organisation or club. As experts in Direct Debit, we can advise you on complying with the Bacs Scheme rules. We can also ensure that, as your Bacs Approved Direct Debit Bureau, you will have a secure channel to upload data to us. For more general issues around GDPR compliance, you should get in touch with a data protection expert; otherwise, to talk through any Bacs-related issues, get in touch.