The EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) include detailed rules on the giving of privacy information to data subjects, principally in Articles 12, 13 and 14 of GDPR, together with some differences depending on whether you are collecting the personal information directly from data subjects or from a third party, such as a credit broker.  These are similar to, but much more detailed and prescriptive than, the ‘fair processing notices’ that were required under the Data Protection Act 1998.

The Agreement incorporates a ‘Privacy Notice signpost’ entitled “Use of Your Personal Information.” This relates to the requirement under the GDPR for you, as Data Controller, to provide or make available to your customer/s, a ‘Privacy Notice’ containing the required privacy information at the time when personal data are obtained, typically at the quotation or application stage. The “Use of Your Information” section must be brought to the attention of your applicant/s and customer/s prior to the Agreement being signed and concluded.

The Privacy Notice should include how the data will be used and shared and with whom, for example with Credit Reference Agencies (CRAs) and Fraud Prevention Agencies. The CRAs have produced a standard Credit Reference Agency Information Notice (CRAIN), which sets out how data will be processed by the three CRAs, namely Transunion. CRAIN is GDPR compliant and has been shared with the Information Commissioner’s Office (ICO).

CRAIN adopts a layered approach, which has been agreed by the ICO, and the Lender Layer incorporates where lenders will inform customers how their data will be used and shared and with whom, for example, via CRAs, CIFAS and other organisations. The information need not be prescriptive but must include a link to CRAIN. Customers must be given the opportunity (even if they choose not to take the opportunity) to access and read CRAIN at the point of application.

CRAs will be unable to share data with lenders who do not adopt CRAIN in its current format and your current ‘fair processing notices’ are unlikely to provide the detail required under GDPR, effective from 25 May 2018.

Links to CRAIN:



Further information on GDPR Privacy Notices can be accessed at: