How online finance companies can be GDPR compliant

With GDPR coming into effect in May 2018, the General Data Protection Regulation is going to have a profound impact on the way companies in the EU store and handle data.

For savvy websites that offer loans and insurance products, they need to adjust their marketing strategy and processes accordingly to be GDPR compliant and grow their business successfully. We discuss some of the main things that online finance companies can do to ‘tick the boxes.’

GDPR compliant

Email marketing

Prior to the GDPR launch date, website owners are required to send an email to their database and ask if customers would like to continue receiving their email newsletters. If users do not respond they will be automatically unsubscribed, which has been very well received by those looking to get rid of their pesky emails. The result however, is that many website owners will lose their databases pretty much overnight.

Moving forward, all websites, including loan and insurance providers, must have a clear opt-in for email marketing purposes and only send out newsletters to those that have accepted the terms. Whilst this has always been the case, the policing of this has always been pretty lenient.

Now, with GDPR coming in, those companies that continue to send marketing emails to people without opting in, can face much heavier fines than before. Previously fines were capped at 500,000 euros have increased to 20 million euros or equivalent to 4% of turnover.

Capture forms vs comparison tables

For online lead generators and broker sites, using data capture forms has increased risks from a GDPR perspective. A capture form is typically used to request a call-back or offer personal quote and usually requires a customer to fill in some basic details like name, email address and phone number.

To be GDPR compliant, there must be a clear tick box and the customer should have a clear understanding of what to expect once they fill in their details. A strong thank you page can reinforce what you are doing i.e ‘your enquiry will be now redirected to **this company**’ or ‘thank you for your details, you will now receive a phone call from our team.’

If your website uses comparison tables, this is a very simple way to be GDPR complaint because you are not taking in any data. This is the method of several websites such as, and Payday Bad Credit.

It follows the GDPR philosophy because the website is not taking in any data and the customer knows exactly where they are going to. Once the customer has clicked on the lender or insurer of their choice, it is down to the provider to fulfil all the requirements above to be GDPR compliant.

Tick box

If you are asking for customer details, whether through a contact form or application, there needs to be a clear tick box at the end. The box must not be ticked already, as the user must manually opt-in.

Your intentions with the customer need to be transparent, whether this is receiving future marketing promotions, a call back or an email with the next step of the loan or insurance application. There should also be a clear link to the privacy policy or terms and conditions (sometimes both) as part of the tick box.

The purpose of the new regulation is that it needs to be clear to the user what you are going to do with their information. A visitor on your website should not simply fill in their details and be uncertain of the next step, they should have clear information on what to expect.

Privacy policy

Whilst it has always been common knowledge to include a privacy policy on the footer of every page of your website, especially for FCA purposes, this is now compulsory for all sites operating in the EU too.

Whether you are a direct lender, insurer or comparison service, the privacy policy should be tightened up to give a clear explanation of what you are going to be doing with the customer’s data. This includes what will happen once they complete an application and how and where their information is stored.

A new GDPR law means that customers have the right for their data to be completely removed from a company’s database. Therefore, your privacy policy should clearly give customers the contact information should they want their details removed.

Storing of data

The EU reforms insists that all data held by finance companies should be held on servers in the EU. In addition, all data must be held in a secure environment and this can be reinforced through the purchasing of secure servers and adding an https protocol to the company website, if you have not already done so.