Monday, 23 December 2013

How proposed EU data protection changes could impact your business in 2014

In this two-part post our Head of Information Security and Data Protection, David Rimmer, looks at the major changes proposed in the new EU Data Protection Regulations. We believe that smarter use of richer customer data is at the heart of ensuring fair treatment of consumers in financial arrears – so it’s important that businesses keep up-to-date with proposed changes to ensure that they improve the customer experience and do not breach data protection laws.

In 2014, MEPs will vote on the proposed EU Data Protection Regulation in order to make data protection legislation across the EU much stronger. What practical steps can you take to prepare?


The main benefit to UK business should be the harmonisation of data protection legislation across the EU, replacing the wildly different interpretations of the current EU Data Protection Directive currently in place in different countries. Not only should this make offshore processing, exports and expansion more straightforward, but it should place UK organisations on a level playing field with their continental counterparts in terms of the overall burden of compliance.


The main topic of discussion is undoubtedly the significant increase in potential fines. Initially proposed at the greater of either 2% of the company’s global turnover or €1m, the potential fine has skyrocketed to 5% of global turnover or €100m in the new draft. It’s worth noting that the UK Information Commissioner already has the power to fine organisations up to £500,000, but since being granted this ability in April 2010 the highest fine has been £325,000 – well below the maximum permitted under the current law. This increase is a clear attempt to make data protection and privacy a board-level issue in all organisations.

Cheap will no longer be an option

The increase in potential fines threatens to undermine the cheap and ubiquitous nature of internet-based systems – particularly when combined with another change in the proposed draft, which puts more responsibility (and culpability) on suppliers (data processors). After the regulations come into effect, free or advertising-subsidised cloud-based systems just may not be viable as providers reconsider their business models to take account of the magnitude of fine that could be received should there be a breach of security. Additionally, the geographic scope of the regulations will now expand to include any organisation offering goods or services to consumers (data subjects) in the EU. So, cloud providers, no matter where they are based, will now have to build the costs of complying with the new regulations into their cost model and operating procedures.

New roles

The draft proposal also mandates the appointment of qualified data protection officers for organisations that process more than 5,000 personal records in a year, and requires that the officer reports directly to the company board in order to provide a degree of independence. The officer must also be appointed for a four year term, though this is reduced to two years if an external organisation is used to provide consultancy support in place of an in-house expert.  There is currently no detail of the level of qualification required to fulfil this role, and places on such courses are likely to be in high demand once the requirement is clarified.

How can you prepare?

Though the Regulations are still to be approved, it seems overwhelmingly likely that the changes outlined above are going to arrive in the near future.  In order to prepare, here are some steps that your organisation can take today:
  • Understand what data you hold, where it is stored and how it is protected – ideally document this in an information asset register to allow you to maintain a list of how your data is controlled, used and shared over time
  • Include an assessment of privacy impacts and the concept of ’privacy by design’ in new projects (this will be discussed in more detail in a future post)
  • Review overall compliance with the current Data Protection Act, remembering that security is just one of the eight principles – the ICO website has a useful guide to your obligations
  • Ensure you have an adequate level of data protection expertise available to support your current operation, as well as in planning for transition to future legislative changes - ideally within your organisation to avoid an increase in demand for external consultants as the implementation timeline approaches
  • Review your reliance on free or subsidised cloud services, and ensure that any future changes to pricing based on compliance with the EU law can be built into your operating model
In my next post, I will look at the impact the remaining changes to the law (including the ‘right to be forgotten’, breach notification timelines and the introduction of a data protection certification) will have on businesses.

David Rimmer, Head of Information Security, TDX Group

Thursday, 19 December 2013

The growing voice of the customer – The CFPB complaints database

Continuing our US theme, Chris Smith discusses the growing voice of the customer and the use of the US regulatory body's database.

One of the interesting side effects from the social media revolution of the past three years is the power that social media has given to the consumer and the challenges that this has caused for business. Poor treatment of customers can no longer be swept under the carpet by large corporations claiming it as a small error impacting only a handful of customers. A great example of this would be the challenges faced by Blackberry earlier this year. The organization initially tried to down-play the scale of the issues being faced but the consumer uprising across social media networks quickly highlighted the size of the problem. This just highlights how customer voices in aggregate can now be much louder than the brand itself.

We’ve seen the same trend recently across the debt collection industry where the customer’s voice is now being heard, loud and clear. The CFPB’s latest innovation, their consumer complaints database, has recently released details on the debt collection complaints that have been made since July; this database now contains in excess of 8,000 complaints and is growing at over 200 complaints per week. These directly identify the creditor, debt buyer or collection agency involved and the cause of the complaint; furthermore, this information is now publically available for all, including the regulators themselves, to see.

It is becoming ever- easier for customers to raise complaints direct to regulators, through the existing consumer complaints portal and the upcoming ‘hotline’. As such, we anticipate the volume of high level complaints to grow significantly through 2014, indeed since the release of the database the number of complaints being sent to creditors per week has steadily grown by 5% each week, so doubling every 15 weeks. So, what does the industry need to do in response to this to slow this trend?
We believe that there are two broad strategies that the industry needs to focus on; mitigation and harvesting:

• Mitigating complaints at source can be achieved by putting the customer experience at the forefront of the agenda. This means not only “ensuring adherence to regulation” but analyzing and improving the customer experience at all touch-points within the collections lifecycle.

• Harvesting complaints internally will prevent the escalation of disputes and issues into high level complaints. This means ensuring all disputes are responded to in a timely fashion and even encouraging customers to complain directly to you to enable any challenges to be resolved directly.

One major learning from large corporations’ reaction to the social media explosion is that listening is crucial and can provide far reaching benefits. Given this emerging voice in our industry, we now need to ensure that we are not only listening to regulators, but also listening hard to our customers.

Chris Smith, TDX Group

Wednesday, 11 December 2013

How does technology ensure compliance?

As part of our series on compliance, Patrick O'Neil discusses how technology can ensure compliance.

These days consumers  expect instant access to information, wherever they are. Whether on their desktop or, increasingly, on their smartphone, the answer to any query is only a Google away. This doesn’t generally stop at football scores and celebrity  birthdays, the average consumer has become accustomed to having real-time access to a range of far more useful (if not as interesting) data, such as their bank balance, energy usage and remaining mobile phone minutes, all of which  help them manage their day to day lives.

This doesn’t change once a consumer begins to struggle financially. Understanding, and being able to take advantage of, the technology solutions available in the debt industry provides an opportunity for debt collectors to improve performance and drive a more positive consumer outcome.

Reaching the right person when you contact them, a Right Party Contact (RPC) in industry parlance, is precious and shouldn’t be wasted. We all know that when a consumer raises a query the call can go one of two ways, and a delay in answering queries can risk losing customer engagement and damage the potential call outcome. If it takes a week to provide a copy statement you might never hear from that consumer again! On the other hand, providing the answer to their question, whether through giving the consumer  easy access to the right data, having the data to hand yourself, or by being able to provide actual bills and statements in real time, can make all the difference. Studies have shown an over 10% improvement in cash collections when copy bills are instantly available, and being able to discuss the specifics of the account during the first phone call leads to greater clarity and faster resolution for the consumer.

Consumers expect the person they speak with to have the answers to their questions. Proactively providing this data to the collectors on the front-line should be the norm and be viewed as a performance driving tool, not an afterthought and an operational burden. Doing so will drive the best outcomes for both creditor and consumer.

By Patrick O’Neil, Head of Pre-Sales Consulting, TDX Group

Thursday, 5 December 2013

TDX Graduates: The “Eric the eels” of the debt industry

Having completed my first month as one of the new graduate trainees on the rotational scheme at TDX, I feel like the time is right to write a blog about my experiences to date. After a bit of thought, I felt there was only one thing in my mind that I could write about - being thrown in at the deep end in a fast paced world; immediately learning a lot and contributing to the organisation.

Analogies of Michael Phelps jumped to mind, but at this point I could hardly compare myself to the best in the field. Instead I thought back to the Sydney Olympics in 2000 and a man called Eric Moussambani, better known as Eric the eel, who represented Equatorial Guinea in the 100m freestyle. A man with little experience compared to the others around him, yet given plenty of responsibility, really resonated with me in this instance, as that was me in September.

Fresh out of Swansea University I joined the TDX advisory team, with limited experience. Within days of starting I had been given my first project, where I would take the lead reviewing an internal process with support from other members of the team – whose help was invaluable.  Their friendliness and willingness to help was surprising, especially to someone who had a more stereotypical  impression of what life would be like in a successful and growing business.

Initially my reaction was to question my own ability, and whether I would meet expectations. I won’t lie, the task was hard and I felt some pressure as, at the end of the day, the responsibility fell on my shoulders, but I worked hard at the project and the helpful nature of everyone that I came into contact with meant that I could draw some interesting and helpful conclusions.

As a graduate, this approach of immediate involvement and responsibility has great benefits. I already have an appreciation for how I am supporting the wider business in achieving its goals, and I am developing my skills from day one and learning a great deal.

My key learning from this is that in a fast paced, growing company like TDX everyone is given opportunities and a chance to shine from day one, much like the wildcard draw designed to encourage developing countries without expensive training facilities. Like Eric the eel I surprised myself with the success I achieved. Although his success had a huge element of luck, mine was driven by both hard work and support from a great team.

Ben Dalton, Graduate Trainee, TDX Group.

See more about the Advisory team here.