GDPR – concerning Direct Debit payments.

GDPR adviceData Protection Changes coming via GDPR.

On 28th May 2018, the Data Protection Act – GDPR – is being updated by European legislation known as the General Data Protection Regulation. It essentially governs the permission, storage and use of personal data.

The GDPR applies to any organisation that conducts business within the EU and as we are still part of the EU, this applies to all legal entities from this May. Brexit may change the legislation but until then we feel it is safer to comply with this directive now.

This document discusses GDPR in terms of Direct Debit payment collection only, but the full scope is much wider than this as it relates to any personal information held by a company.


Data Controllers

These will usually be the public-facing entities that data subjects apply their information to. This will be the point at which you collect a customer’s personal details in relation to setting up a Direct Debit. You may collect details via paper, over the phone, online, store it in your own CRM and billing systems as well as entering into an online Direct Debit system.

Data Processors

The organisation which processes personal data on behalf of the data controller.

As the data processor, Direct Debit providers are storing and processing customer payment data that is entered into their systems by you as the data controller, by whatever input method. In some cases, the data controller and data processor will be the same entity. They are also a data controller as they hold your personal data as part of their client relationship.

Data Subject

The regulation defines a data subject as an identified or identifiable natural person. A corporation or other entity cannot be a data subject and information on those subjects has no protection under the regulation. In this case, these are your direct debit customers.

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.


Processing means any operation or set of operations which is performed on personal data or sets of personal data. Your Direct Debit provider processes the payment data as entered by you and subsequently any return BACS reports.



Article 5 of the GDPR outlines the six principles that should be applied to any collection or processing of personal data.

  1. Stored Personal data must be processed lawfully, fairly and transparently
  2. This Personal data can only be collected for specified, explicit and legitimate purposes
  3. Personal data must be adequate, relevant and limited to what is necessary for processing
  4. Personal data must be accurate and kept up-to-date
  5. Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing
  6. Personal data must be processed in a manner that ensures its security.It’s worth noting that the data controller is responsible for demonstrating this, and they must secure the same assurances from any external data processors with whom they contact.

The six principles above are at the heart of the regulation.


A Data Controller will have to ensure that they secured clear and unambiguous consent from the data subject before processing personal data.

Critically, the controller is not permitted to count ‘silence, pre-ticked boxes or inactivity’ as consent. Furthermore, processing cannot proceed unless the data subject has consented to every processing activity – if you wish to carry out six different actions with the subjects data, for instance, you need to ensure that the subject has consented to all of them.

The regulation notes that consent can be provided electronically using a tick-box although as noted above, the data subject will have to manually tick the boxes themselves.

Consent can also be withdrawn. The data controller must provide a method whereby it is as easy to withdraw consent as to give it.

Retention of Data

Data subjects have the right to be forgotten, at which point the data controller must erase all information held on them. However, under the Direct Debit Guarantee rules, there is a necessity to hold all data indefinitely in case Direct Debit Indemnity Claims are made by individuals. These are currently not time limited.

Records of Data Processing Activities

Article 30 requires every data controller to retain a record of its data processing activities. This record needs to contain a specific set of information such that it is clear what data is being processed, where it is processed, how it is processed and why it is processed.

Data Protection Impact Assessments (DPIA)

Organisations should ensure that a DPIA is part of their risk assessment process regarding personal data, and is in line with the ‘data protection by design and by default’ strategies.

Controller/Processor Contracts

Where a controller contracts with a processor to process personal data, that processor must be able to provide sufficient guarantees to implement appropriate technical and organisational measures that processing will comply with the GDPR and ensure data subjects rights are protected.

Accountability and the Board

Any GDPR breach should go straight into the Directors or Board’s risk register and should remain high on the Board and top management agendas. Any data breaches must be notified to the authorities within 72 hours of the data controller becoming aware of the breach.


Encryption should not just be applied to storage of personal data but also for establishing secure connections when personal data will be transmitted. Secure connections must use encryption of TLS 1.2 or higher as a minimum.

Complying With Regulation

Understanding Your Data

The GDPR deals with existing personal data as well as with how that data is processed, transmitted and stored in future. The first step towards compliance for most organisations will therefore be a data audit, identifying the personal data they already hold, who it has been shared with and where it is now held, and to determine what must be done with that data in order to comply with the GDPR.

We recommend this exercise to map out and is a good starting point for thinking about what data you store, what you do with it and where do you send the data.

This data audit process will necessarily include reviewing existing processes for gathering personal data, ensuring there are clearly identified business and legal grounds for that collection, and ensuring that all regulated processes will comply with the new regulation. Depending on the nature of your business, this could prove to be quite a broad exercise, showing points of egress and ingress when personal data goes out to a processor and then the processed result returns.


There are different documentation requirements for data controllers and data processors, but the onus for the documentation being correct will generally be on the controller, because they are likely to suffer the consequences regardless of who is at fault. If you are a controller with a number of processing functions outsourced it’s worth getting assurances that these functions are appropriately documented.

These can include:

  • Statements of the information you collect and process, and the purpose for processing
  • Records of consent from data subjects or the holder of parental responsibility
  • The records of processing activities under your responsibility
  • Documented processes for protecting personal data – an information security policy, cryptography policy and procedures, etc
  • Appropriate Technical and Organisational Measures
  • Article 24 says that data controllers must implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with the regulation.

These measures must include implementing appropriate data protection policies.

Supplier Relationships

The data audits will help you to identify which supplier relationships you have that need to account for the regulation due to the movement of personal data between you.