- 7 min
General Data Protection Regulation: A major commitment to our customers
Protective measures for personal data did exist before GDPR. In France, the 1978 Data Protection Act (loi Informatique et Libertés) provided a legal framework for collecting, processing and storing it, as did a European directive which was issued in 1995 and revised in 2004. But new technology, which allows for increasingly large volumes of data (known as Big Data) to be collected and processed, is highlighting the need for a greater level of privacy protection.
Put to a vote in the European Parliament in May 2016, GDPR sets out new rules to create greater transparency and more trust in the face of a new digital reality.
New rights for the people
The right to information and the right of access to data have been consolidated. Companies which collect your data must clearly and comprehensibly specify what they intend to use it for, and why. “GDPR goes even further by establishing the right to data portability: anyone can ask to have data that they have provided about themselves returned to them in a format that is easily recoverable, so that they may transfer it to another service provider,” says Edwige Deligné, Data Protection Officer at CA Consumer Finance.
The right to erase data has also been strengthened by GDPR, allowing people to ask for their personal data to be deleted. You can also exercise your right to rectification on your own data, your right to restriction of processing, or your right to object at any time, so that - for example - your personal data may not be used for prospecting purposes.
GDPR also makes it possible for people to take legal action against corporations in relation to data protection.
New obligations for companies
With GDPR, companies now only have one month, instead of two, to respond to individuals’ requests regarding their personal data. They will need to keep an internal log of the processes carried out, incorporate privacy protection into their products and services right from the design phase (privacy by design) and implement all necessary measures to ensure that data is secure (privacy by default). Finally, GDPR requires companies that engage in large-scale data processing to name a Data Protection Officer (DPO). Their role is to ensure that companies comply with all regulations relating to the protection of personal data.
CA Consumer Finance: Committed to data protection
The issue of protecting personal data is not a new one for CA Consumer Finance. The culture at Crédit Agricole has always been to apply confidentiality rules, and the Group has also had a Personal Data Usage Charter in place since January 2017, to which CA Consumer Finance made significant contributions. “It is based around the firm belief that the use of data is only legitimate when it is in the interests of our customers. We have always been especially vigilant and cautious in this regard, for example with access to personal data being strictly limited to those with the required authorisation,” says Laureline Serieys, Chief Digital Officer at CA Consumer Finance.
On a wider scale, CA Consumer Finance is undergoing a digital transformation where the idea of trust is central to its strategy. For Christophe Grave, Deputy CEO and Head of Risk and Permanent Control, “to build trust we must use the personal data that is given to us properly. In other words, we must use it sensibly and wisely to better serve our customers. For example, to offer vehicle finance solely to people who are about to buy a car, instead of sending bulk emails which could be seen as invasive. To put it another way, making the right offer to the right person at the right time. Using data effectively, also means being able to make our customers’ buying experiences simpler and smoother: if a prospective customer’s data indicates a good credit rating, we can simplify the process and ask them for fewer supporting documents”.
From this point of view, CA Consumer Finance views GDPR as a tool with which to strengthen consumers’ trust in them. In order to comply with the new regulation, a dedicated programme was launched at the start of 2017. “It is structured around 13 projects which each focus on a different aspect of the regulation. This includes informing our current and prospective customers of their rights and how we use their data, as well as putting easily-accessible communication channels in place so that they may exercise these rights for as long as our business relationship lasts,” explains Philippe Genon-Catalot, who oversees the programme. In concrete terms, forms will be provided for customers to access in their online area, which they will be able to use to make requests regarding their own personal data. All brochures, contractual documents, legal notices, etc. will be updated, and new clauses added regarding the processing of personal data. These will be written using clear, simple language. In addition to these public developments, CA Consumer Finance is doing important work behind the scenes to ensure the relevance, accuracy, consistency, traceability and security of data. “That’s the hidden part of the iceberg! In addition to giving consumers back control over their data, we also need to make sure our internal structure means that we use the right data for the right reasons, to bring real added value to our customers. The goal is to make ourselves a trusted third party,” concludes Serieys.
What is personal data?
Personal data is all the information which may be used to identify a person: from the most common (surname, first name, address, email address, social security number, etc.) to the most sensitive (medical information, sexual orientation, religious beliefs, ethnicity, etc.), as well as the information which companies such as CA Consumer Finance use for work (or in other words, to provide loans to its customers): income, monthly outgoings, employers’ names, etc. GDPR applies to any organisation which processes personal data, whether it belongs to their current customers, prospective customers, users, employees, or anyone else. It therefore has an extremely wide scope.