Exus Blog Article
All about data: What global data regulations mean for debt collections processes
Since the General Data Protection Regulation (GDPR) came into force across Europe, data security has become a hotter topic than ever. The biggest data breaches of 2018 so far have involved millions of users - and some of them have displayed startling negligence. FedEx, for example, stored customer data on an Amazon A3 bucket that was fully accessible to the public, compromising thousands of scanned documents.
GDPR exists to make businesses think about data and how they’re handling it. The goal is to standardize best practices in data handling across a wide territory with dozens of different protocols, standards, regulations, and penalties - on paper, it improves data security for customers, and makes data processing easier for banks by providing one set of universal standards for the European territory.
Outside the EU, however, complying with data protection laws is a more delicate business, meaning that international operations - including global debt collection - need a broader awareness of legal responsibilities.
Requirements: governance and technical
Most coverage of GDPR has emphasized the governance aspect of the new regulations: the policies, processes, and documentation, the appointment of data protection officers, and the retraining of personnel to ensure compliance by increasing awareness.
The technical requirements of GDPR have often been sidelined, but businesses that outsource or commission IT services cannot afford to ignore these requirements. It is critical that businesses and institutions select IT providers who are themselves fully compliant with GDPR and similar legislation.
IT developers are required to “put technical and organizational measures such as pseudonymization in place to minimize personal data processing”, and design systems that do not demand any unnecessary data. If a customer’s date of birth is not necessary to do business with them, there is no justification for recording it. Debt collection systems are primarily concerned with accounts, contact details, payment, and scheduling; other demographic data is arguably not something that should even be recorded.
Debt collectors with a court order on their side, or who are in pursuit of an uncontested debt, can contact their debtors at reasonable intervals. However, their legitimate interest and legal obligation rights exist in tension with the rights of data subjects, who can ask for access to a copy of their data, and for their data to be ‘forgotten’ when no longer relevant.
A particular problem emerges around the issue of consent. If a customer has taken out a loan and shared their personal data with the loan provider, who then passes it on to a debt collection agency, there is room for the customer to contest that they did not consent to this use of their data. Banks and other loan providers will have to be careful, ensuring that they secure specific consent for data to be passed to third parties where necessary.
Data protection outside Europe
Latin America
Chilean lawmakers have explicitly modeled their new data protection legislation on the European regulatory standards, drawing on the expertise of the Spanish Personal Data Protection Agency. It’s expected that, within the next year, a GDPR-compliant system will be perfectly adequate within Chile.
GDPR also goes further than is required by Colombian and Peruvian laws. The former country does not include the right to be forgotten or the appointment of data protection officers; the latter is still introducing a sanctioning regime. However, the technical standards are otherwise similar.
Mexico has strong economic ties to Spain and the broader EU, with significant EU investment and ownership in its businesses. Although there is no specific extension of Mexican data protection legislation, a significant minority of Mexican businesses will expect GDPR standards to be upheld.
South East Asia
Only three of the ten Association of South East Asian Nations (ASEAN) countries have comprehensive data protection laws: the Philippines, Malaysia, and Singapore. These laws have only been actively implemented for a handful of years, and mostly address the roles of governmental or educational institutions - not banks.
Two countries (Indonesia and Thailand) currently have specific data protection legislation in the draft. Another four (Brunei, Laos, Vietnam, and Myanmar) grant privacy rights to their citizens, in a framework that chiefly focuses on state power and correspondence interception.
Across the ASEAN as a whole, the 2016 Framework on Personal Data Protection provides a basis for speculating about the future. The Framework specifies the need for ‘strengthening personal data protection with a view to the promotion and growth of trade’, suggesting that the role of financial institutions could be built into future ASEAN legislation. In the meantime, debt collectors in South East Asia will have to lead by example, complying with the more advanced EU regulations and demonstrating good practices for debt recovery in the region.
North America
Canadian data protection laws are similar to the European Union’s. The Personal Information Protection and Electronic Documents Act applies to private sector organizations that conduct business in most Canadian territories, with substantially similar legislation applying in the remainder. Further legislation applies via the Bank Act, which does not necessarily supersede PIPEDA or its equivalents.
Meanwhile, in the USA, data protection legislation mostly applies at the state level, with federal legislation described by the Council on Foreign Relations as ‘piecemeal’. Privacy and security concerns are addressed via industry regulation, enforced by the Federal Trade Commission - a body with limited jurisdiction over banks and their associated organizations.
The Financial Services Modernisation Act regulates the collection, use, and disclosure of personal financial data. It obliges banks and their partner organizations to provide notice of their privacy practices and an opportunity for data subjects to opt-out of having their information shared. Three further regulations and industry-imposed standards apply to the protection and disposal of financial data.
Outside the newly-standardized EU environment, data protection regulations are a quagmire of distinctions, incompatibilities, and uncertainties. GDPR is part of an overall drift toward customer-first legislation that defines data protection in terms of how individuals should be treated, but so far the EU is ahead of the game. Best practice for debt collection already comes from a customer-first perspective - which means compliance with GDPR puts the industry in a solid position for operations elsewhere in the world.