On 14 April 2016, the General Data Protection Regulation (GDPR*) has been approved by the European Union Parliament.
The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data.
The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.
The enforcement of the new regulation will take place on 25 May 2018 - at which time organizations in non-compliance will face heavy fines.
Firms in the C&R industry and their operational systems handle and process sensitive data that are subject to the regulatory framework of E.U. To secure GDPR compliance, C&R systems must focus on these 5 pillars.
1. Data Transfers to 3rd Parties
In terms of Data Transfers towards 3rd Parties, GDPR requires the utilization of Secured Protocols for Data Exchange. The Regulation dictates that 3rd Parties are forbidden to receive sensitive data in specific cases. E.U. regulation highlights that password policies and authorisations must be monitored under a strict framework.
2. Customer Consent
Customer Consent is one of the significant pillars of GDPR, since a client’s consent must be received through communication scripts for standard and clear approach. The Regulation requires a DPA form with information that verifies that the correct person was contacted by the user.
The upcoming European Regulation requires that C&R systems include the tools to configure, maintain and display a detailed audit trail of database changes down to table field level. In case of sensitive operation a 4th audit trail is required in order to identify and monitor users who search and view personal data.
4. Data Pseudonymization
Since consumers have the right to be removed from the records of companies they have previously authorized to collect and store their data, C&R firms must operate systems that are able to pseudonymise case level information regarding activities linked to a case, memos and attachments, after the case is closed.
Furthermore debt management systems must support pseudonymising functionalities on customer level information like personal identification information (PII), addresses, contacts, memos, phones, after all customer cases are closed.
5. Access Controls
The 5th pillar that firms with C&R systems must consider for GDPR compliance is the complexity of access controls and monitoring. A compliant system must have granular password policies (Password complexity, Change Time, Encryption). System access must be monitored (login & logout operations). In addition the system must support a role based management and privileges which controls the actions and operations on customer static and transactional information.
Control Areas management must ensure data visibility to personnel according to their operational jurisdiction. All web applications of the collections system must operate under encryption for information exchange with the database (https protocol). To fully cover this 5th pillar, systems must support configurable workflows for personal data modification ensuring that even users with change rights shall not change information improperly.
*Interested in examining GDPR in depth. Read more, here.