23/10/2020 Credit management
Christian Steiner

Limits, scores and now also data protection in credit management?

May 25th was a special date this year: There has rarely ever been so much attention on a new law as in the case of the new basic data protection regulation (DS-GVO). One reason for this is certainly also the threat of high fines for breaching the new regulations.

The credit management of a company also had to and still has to demand the question to what extent the new regulations affect their own processes and the handling of personal data. With this blog post we would like to give food for thought in which areas and in the handling of which data the new regulations could lead to a need for action.

Scope and application of the DS-GVO.

In principle, the DS-GVO affects all processing and use of personal data of natural persons who are resident or “staying” in the EU, e.g. on holiday. Personal data is information relating to an identified or identifiable natural person. Obvious personal data is information such as name, address, place of birth – less obvious personal data is information such as a customer number, financial status or transaction number.

In credit management, the following data records in particular must be viewed critically:

  • Data from B2C debtors
  • Data of debtor contact persons
  • Data of debtor managing directors / managers
  • Personal information data

Step by step implementation of the DS-GVO in Credit Management.

Below are some tips that you should take into account when implementing the requirements set out in the DS-GVO. Important: This is not a checklist that can be worked through 1:1. In any case, please consult your data protection officer to clarify which individual requirements must be observed for your company.

Step 1: As-is analysis

  • Check at which points in your company personal data is collected, processed and used.
  • Analyse in which IT systems the data is collected and whether it is processed automatically.
  • Are the IT systems registered in the directory of procedures?
  • Do you have service providers who process data for you (for example SaaS solutions)? Where are these service providers based? Have you concluded a contract with them for order processing?
  • Carry out a risk assessment: Are there any risks for the data of natural persons?
  • Do you have a data protection management system in place to ensure and document security in the processing of personal data?
  • Can you meet the notification deadlines in the event of a breach of the DS Block Exemption Regulation?
  • Are your employees aware of the rights and obligations arising from the DS-GVO and how they should handle personal data?
  • Check the existing data protection declarations to employees, customers and business partners.
  • As part of the analysis of the current situation, document any potential for optimisation or issues where you are uncertain about conformity.

Step 2: Analysis of the potential of optimisation

  • Look at the documentation from step 1: In what areas is a need for action? What measures do you take to achieve data protection conformity?
  • Think about the time frame, budget and prioritisation of the necessary measures.
  • Appoint a project manager to drive the implementation.

Step 3: Implementation of the measures with the aim of DS-GVO conformity

  • Customise your privacy policy.
  • Encrypt your data.
  • Create new authorisation concepts in the IT landscape.
  • Adapt your credit management processes.
  • Train your employees.

Basically, you should check which data is really needed and in what form it is used in the company. A company must take appropriate technical and organisational measures both at the time of determining the means for processing and at the time of processing.

We, as a software provider, also addressed this issue at an early stage and offer our customers new features that make it easier for them to comply with the new regulations.