The implications of GDPR on the Direct Debit industry

GDPR. It was nowhere and then suddenly it was everywhere. The buzzword at the front of business professional’s tongues for the past year. As such, industries have been forced to become stricter on how they store and use personal data. But what impact will this have on companies collecting Direct Debits and bureaus hired to manage this cash flow?


What is GDPR?

The introduction of GDPR, or the General Data Protection Regulation, is the largest change to data protection in the last 20 years. GDPR will replace the current Data Protection Act (DPA) in May. Whilst the rules under the new legislation don’t stray too far from those under the DPA, the tightening of these will have effect a visible change to organisations, and the onus is on the controllers and processors of data to enforce these.

  • Controller: The ICO describes a controller as the person, or organisation, responsible for determining ‘the purposes and means of processing personal data.’ This might be a leisure organisation handling Direct Debit membership collections, or a magazine collecting subscriptions via Direct Debit
  • Processor: This is the body responsible for processing personal data on behalf of an organisation. We, at DFC, fall under this remit, alongside other Direct Debit bureaus who manage Direct Debit cashflow for third-parties.


What needs to be considered?

The GDPR’s definition of ‘personal data’ is much broader than under the DPA. It is any information relating to an identifiable person, be this a name, an ID number as well as social, genetic, and importantly in the case of Direct Debit, economic identifiers.

It has never not been important to pass data safely and securely. That said, those in breach of non-compliance can face fines of up to €20 million or 4% of annual turnover (whichever is highest). It’s in every organisation’s interest to take data protection more seriously, if only for their own sake.

Finally, people will no longer have to jump through hoops to access their own stored data. They can request corrections to inaccurate data and have the ‘right to be forgotten’ – i.e. controllers and processors must remove all information held on them.


Direct Debit is the securest money transfer service available, but that shouldn’t stop you taking steps to ensure you meet the expected regulatory standards for yourself and your customers.

If you have any questions regarding how the new laws may affect your Direct Debit provisions, why not get in touch? We may be able to answer any questions you have. Alternatively, for more information on DFC, or to find out what we can do to help improve your cash flow, visit us at

Related Posts

Bacs processing calendar 2020

At the end of every year, Bacs release their processing calendar for the year ahead, giving organisations the info they need to plan Direct Debit tran...