A European Union regulation, set to take effect in May of 2018, has business implications for American companies as well -- including debt collectors.
The GDPR -- General Data Protection Regulation -- seeks stronger consumer data protection, with the aim of giving people control over the personal data used by companies.
Those who are about to stop reading because they aren't located in Europe and therefore this has no bearing on their America-based business, stick with me a little longer.
The regulation covers residents of the European Union; not just citizens. For example, an American from Iowa could be living in Norway for an established period of time as a resident. If that Iowan has credit card debt that you are attempting to collect, you are now under the auspices of the GDPR. It also, of course, covers citizens of the EU who might be residing in the United States. For example, a Norwegian citizen could be living in Iowa.
Predominantly, it covers consumers, and failing to comply with the GDPR can open compliance risks for your agency.
- GDPR establishes hefty fines for non-compliance.
- The regulation imposes detailed and demanding breach notification requirements.
- GDPR tightens the definition of consent.
- (Silence, pre-checked boxes, or inactivity no longer constitute consent.)
- The new regulation takes a broad view of what constitutes personal data.
- GDPR codifies a right to be forgotten -- consumers can ask to delete all of their personal information from your site.
- GDPR gives data subjects the right to receive data in a common format.
- The regulation distinguishes between data controllers and data processors.
- (Controllers are liable for the actions of the processors they choose.)
- GDPR increases parental consent requirements for children under 16.
The full text of the GDPR can be found here: Regulation (EU) 2016/679 / GDPR