With the adoption of the General Data Protection Regulation (GDPR) in Spring 2017 one of the longest legislative processes in EU history finally came to an end. Actually, “end” is not the right word! Even though FENCA was heavily engaged in lobbying and preparation throughout the GDPR negotiations, for FENCA just as for the whole debt collection industry, the adoption of GDPR by EU authorities marked just the beginning of the next and most difficult stage of a journey. The debt collection sector and supervising authorities need to understand and define how GDPR would be implemented and monitored in our industry. And time presses: GDPR will apply from 25 May 2018.
Before that date, debt collection agencies and debt buyers need to review their data protection policies and internal processes to ensure that these are consistent with the new principles of GDPR. However, in common with many other sectors, GDPR does not specifically mention our issues.
To help our Members and to assist the debt collection industry on the journey to compliance with GDPR, FENCA has been working towards creating a Code of Conduct (CoC) for Data Protection across Europe in the past months.
What is the CoC about?
In general, FENCA welcomes the EU’s approach to harmonizing the data protection rules in Europe. FENCA especially supports the objectives to protect the consumer, facilitate cross-border transactions and to create standards which have an impact on worldwide data transfer activities.
However, GDPR gave rise to serious legal and operational uncertainties in the debt collection industry. In many discussions with its member associations and affiliated debt collection firms, FENCA noticed that GDPR’s abstract requirements are a major challenge for the industry.
To solve this problem and to make it easier for its members to be compliant with GDPR, FENCA is working to break down the abstract provisions of GDPR for the debt collection industry.
This means that FENCA’s Code of Conduct will define which abstract legal term of GDPR is related to which concrete business process in the daily business of a debt collection agency or buyer. On the one hand the Code of Conduct can be understood as a manual for debt collectors on how to be compliant with GDPR. On the other hand it will help the supervising authorities to better understand the business processes in debt collection.
Is the Code of Conduct just self-regulation or is there a legal basis?
FENCA’s Code of Conduct is a piece of self-regulation on a legal basis. Article 40 of the GDPR encourages different industries to develop their own Codes of Conduct, facilitating a sector-specific implementation of GDPR. FENCA’s initiative on a Code of Conduct for the collection industry was welcomed by the EU Commissioner V?ra Jourovà herself. Moreover, FENCA was promised full support from the relevant EU officials.
How will the Code of Conduct influence the work of those in debt collection?
FENCA’s Code of Conduct will make it easier for debt collectors to assess their compliance with GDPR and thereby reduce the risk of fines in case of incorrect assessment which might be up to 4 % of the company’s annual world-wide turnover or a maximum €10 Million.
The Code of Conduct does not implement a legal framework in addition to GDPR. It interprets GDPR for data-related processes in debt collection. This means there are no additional rules. The Code just makes it easier to be compliant with the existing rules.
Who is affected and what is the benefit for debt collection?
Basically every debt collector is affected by GDPR, even those outside the EU who are processing data of EU data subjects.
GDPR will affect every industry by setting the bar for how organisations look after the personal data of customers, staff and others.
Every debt collector knows the importance of data in the industry. Collections are vitally reliant on digital or electronic interaction and the related data to organize and guide business processes. Data is the key driver of efficiency: it increased the accessibility of credit, brought down costs and enhanced interactions with the customer.
GDPR makes it necessary to review each and every business process in any way related to data. FENCA’s Code of Conduct can make this review process easier for every debt collection business. The Code of Conduct will provide specific instructions on how to implement the GDPR in any collection agency or debt buyer.
Furthermore, the Code of Conduct ensures that every regulator and every supervising authority in the EU has an understanding about debt collection and the related processes and business practices. After final approval of the Code of Conduct by the European Data Protection Board, which can only take place after 25th May 2018 when the EDPB comes into being, debt collection firms which are compliant with the concrete Code of Conduct will also be deemed compliant with GDPR. In effect, the Code of Conduct then becomes a legally binding interpretation of the GDPR. Legally binding for debt collection firms AND for supervising authorities on every level.
While GDPR is affecting you, the Code of Conduct will reduce the possible negative effects.
The Code will need to be monitored, and we are already looking at the options to achieve acceptable oversight solutions.
What is the work plan and what is the schedule?
The Code of Conduct will be established in 6 steps.
1st Step: Establishing the Factual Basis | Developing the European Standard Business Practices (ESBP) | April – October 2017
At the first stage FENCA cooperated with its member associations to formulate and agree common European Standard Business Processes (ESBPs). The outcome was a flowchart defining how personal data is processed by debt collection agencies and buyers in Europe, and how such data is used throughout the collections process.
2nd Step: Legal analysis of European Standard Business Processes | October – November 2017
FENCA brought together the ESBPs and the abstract provisions of GDPR and sought to identify legal findings, especially the GDPR’s weak points for debt collection businesses and the key points of interpretation for the industry.
At this stage, FENCA also decided to make the questionnaire an online version, so as to minimize the efforts of members in completing the forms.
3rd Step: Reality check for legal findings | Questionnaire | January – Februrary 2018
Legal findings from Step 2 were addressed in a detailed questionnaire. The purpose of this questionnaire is to define every step of the data relevant parts of the collection process for each country, and to go into detail on the basis of processing and usage of data at each of the ten stages.
4th Step: Draft “mock-up“ version of FENCA Data Protection Code of Conduct | March – April 2018
FENCA lawyer, Dr. Gero Ziegenhorn, will produce a first draft of the Code. Due to the timings of producing the online questionnaire, the draft will still be partial by the April meeting.
5th Step: Reality check for “mock-up“ version |April 2018
Together with its members FENCA will scrutinize the “mock-up” version of the Code of Conduct. The final version will be formulated and will be accepted by the FENCA members.
6th Step: Formal Code of Conduct adoption procedure under GDPR (Art 40) | From May 2018
This step entails the direct communication and negotiation with a national Data Protection Agency, the European Data Protection Board, the European Commission (possibly), Consumer Organisations, and the Cabinet of Commissioner Jurova. The process for EU adoption is not yet known, but will be put in place hopefully soon after 25th May.
How can we contribute?
The FENCA Code of Conduct will be prepared by FENCA itself (FENCA steering Committee Leigh Berkley, Andreas Buker and Erwin Falkner), the Association’s Lawyer, Dr. Gero Ziegenhorn, the FENCA Board and the national member associations.
There is also a FENCA GDPR working party consisting of practitioner representatives from affiliate member firms including EOS, Intrum, Cabot, Lowell, Arrow, and Avarto. This working party has met to discuss detailed aspects of the CoC, and has assisted in completing the online questionnaire for those jurisdictions where there is no Association to complete it. The working party will continue to assist in finalization of the Code, and we would like to thanks them sincerely for their help and support so far.
Debt collection businesses have different ways to contribute. The most obvious way is by becoming part of one of FENCA’s national member associations. It is up to the national associations to ensure broad participation of their members in the formulation of the CoC, and some have their own GDPR working groups.