How to make a debt recovery procedure GDPR-compliant?

In this case, we will share with you the experience of bringing to conformity one of the typical data processing programs for financial company as part of the annual GDPR implementation project.

The client turned to us after he learned that the Regulation applies to all companies that he owns. He was worried about the need to rebuild all business processes.

We have precisely chosen those treatments where it is really necessary to comply with the GDPR requirements and prioritized them, starting work on the most important and dangerous ones.

We approached the solution of problems directly at the second or third session: the project team did not include a person from the department we needed. It was required to invite him to the next session. The duration of the session was 3 hours, but we had 2-2.5 hours, and the remaining time was used to work on other issues.

After the completion of the GDPR Roadmap implementation program, we can talk about a high level of compliance with the Regulation - from 50%.


Siarhei Varankevich CIPP/E, CIPM, MBA
Founder of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant
MBA, Certified Information Privacy Professional (CIPP/E), Certified Information Privacy Manager (CIPM). Started to work with the GDPR draft version, in 2015, in Munich. Defended his MBA thesis about the Regulation, in Bremen, in 2016

Siarhei delivered hundreds of consultations on GDPR issues to companies around the world. He helped to implement the GDPR program as an external project manager in over 50 companies.

In LinkedIn

The client carefully approached the selection of team members: representatives of the legal and compliance departments, information security specialists, as well as decision-makers participated. This allowed the most productive sessions with a consultant, as well as comply with all deadlines.


The financial company that has contacted us operates in the EU.  That is why the scope of the GDPR extends to it, since:

  1. It belongs to a European company. That is, the processing of personal data occurs in the context of the activities of an organizational unit (parent company) from the European Union.
  2. There are a number of treatments in which the personal data of persons located in the EU are involved.

The client was afraid that his activities in all countries and regions were subject to GDPR, provided that the Regulation applies to all companies of his type. As a result, the company was going to rebuild the entire organization system, based on the rules of the Regulation. But we intervened in time, saying that in all processes this is not necessary.

In this case, we talk about only one of the elements of this project - bringing the debt collection procedure into line with the European standard. Our consultant discovered this treatment after the register of treatments was compiled and the treatments were ranked by risk.

Why did the company choose us?

Initially, the client turned to us for training. At that time, our company was the only one that conducted training courses on the protection of personal data on GDPR. Besides:

  1. The client has already seen the level of competence of experts. Siarhei Varankevich  acted as a trainer of the course, therefore they realized the depth of knowledge and experience. In particular, it was important that Siarhei Varankevich had international certifications and recognition - CIPP / E and CIPM.
  2. When contacting another company, it would be necessary to check the knowledge of specialists, re-build communication with them, and also talk about the situation.
  3. Narrow specialization in the Regulation, that is - the absence of spraying, for example, on FZ-152 or other local legislation of countries outside the EU.
    The client, among other things, understood that contacting us for consulting services would save time and, as a result, money.

The essence of the problem and its solution

1. Information Security Issues.

1)  The person who paid the debt remained in the system used by the collector. In this regard, there is a risk that the collector will quit and “take away” this base with itself. But it contains a decent dossier on people: contacts, place of work, information requested from government agencies, including law enforcement.

2) The storage system used was quite old and did not provide for the ability to share access privileges. That is, if you are an employee of this department, then you have access to all the data in the database, regardless of which of the non-payers you work with. We could not ignore the risk of using data for personal purposes: for example, for “breaking through the base,” acquaintances.

Problem solving process.

We identified the need to clean the system of irrelevant entries. We added a maximum period of storage and processing of this data to the list of recommendations. Due to the large amount of data, manually deleting them was difficult. A period limit and automatic deletion were added to the terms of reference for finalizing this system.

2. Records made by employees of the unit could contain information about the causes of the debt: for example, that a person is now sick and lies in an oncology clinic, is in prison, problems in the family, at work. Health data is sensitive, which means that the Regulations do not allow them to be processed without appropriate grounds.

Problem solving process.

Conducted training for employees of the department. They talked about what information can not be recorded electronically. They clarified that the information may remain on paper stickers or notes, since they will not represent a data system (filing system) of data and automated processing. Under the condition that employees throw out these notes after working with this client, sensitive data on stickers can be collected and used, since this will not be regulated in accordance with Art. 2 (1) GDPR. We also recommended a set of rules and recommendations. This helped to avoid possible serious consequences if the collector acts improperly. For example, in this way we prevent the following scenario: while working on a debt, the collector finds out that a married man took out a loan for a gift to his mistress. After - informs the family about this, which entails the emergence of not only financial, but also personal problems.

How does a financial company feel?

If you apply for services to this financial institution, your personal data will not be used against your interests.

And in relation to the process related to debt collection, and in a number of others, significant changes have occurred that meet the highest standards.

It should be noted that real professionals work in the customer company. Despite the fact that compliance with GDPR is only an additional obligation for employees, this did not prevent them from treating their customers with care.

We are confident that this company has great prospects in the future. Especially considering that in the modern era, people are no longer working with those who offer the best conditions, but with those whom they trust. And trust in what happens to personal data becomes a determining factor when choosing a service or service.



“Compliance with GDPR can be your competitive advantage with us.”


Взыскание долгов GDPR-compliant

Recommended services

We can audit your compliance with GDPR. External and internal audits of projects, processes or instances of processing.
GDPR Implementation
GDPR Roadmap+ Implementation Program
Training and consulting support of the working group on the GDPR implementation, ad hoc consultations on problematic areas.


The course is loading, wait a few seconds