The National Association of Commercial Finance Brokers (NACFB) has issued a joint statement with The Finance & Leasing Association (FLA) outlining a unified interpretation of how the broking process is impacted by the General Data Protection Regulations (GDPR).
The statement, from two of the largest and most established trade bodies operating in commercial finance sector, confirms a consistent and allied interpretation of the GDPR, specifically on the implementation and use of Privacy Notices.
The joint statement has been arrived at after consulting members, lenders and the regulator and forms part of ongoing efforts by both Associations to safeguard all Member’s interests.
GDPR Statement for Funders and Brokers
This statement has been prepared as guidance for brokers to consider when they act as a finance intermediary. This statement does not constitute legal advice and is intended to inform rather than replace any implementation plans you have in place based on your interpretation of the regulation. If you require clarification in relation to any matters referred to in this document we recommend you seek independent legal advice.
The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. Firms which are already complying properly with the current data protection legislation will be largely compliant with the new Regulation. The GDPR does, however, place greater emphasis on the documentation that controllers must keep to demonstrate their accountability.
While the GDPR does permit privacy notices to refer to ‘categories’ of recipients of the individual’s information, rather than necessarily named recipients, this possibility has to be considered alongside the Regulation’s overall requirement that information be handled fairly and transparently. This is a high bar.
Consistent with this, the ICO’s view is therefore that the most practical solution is for the intermediary’s privacy notice to summarise the key points that appear in finance providers’ privacy notice and explain why the individual’s information is being passed to finance providers, with individuals then being directed to finance providers’ websites where their own privacy notices can be read.
The inclusion of links to finance providers’ information is however not mandatory and it is for firms to consider the most appropriate approach for their organisations and customers.
Please note that, the intermediary’s privacy notice should be provided to the individual at the time you obtain their data from them.
It should be remembered that some individuals may not have access to, or be able to use, digital sources. Intermediaries should therefore ensure that such individuals are able to access the privacy information by alternative means, for example by telephone or verbally: see the ICO’s guidance on how to deliver privacy notices for further information on this. It should also be remembered that, if the individual’s data is going to be handled differently in some way, then this should be clearly explained to them. In some cases, lenders may ask intermediaries to have copies of certain information available, should a customer need a paper copy. One example is the Credit Reference Agency Information Notice (CRAIN). Lenders will let intermediaries know where this is the case.