Published by Gbaf News
Posted on May 4, 2018
5 min readLast updated: January 21, 2026
With 23 days until GDPR comes into force, Steve Martin, Data Protection Officer at Equifax, explains why businesses using Credit Reference Agency (CRA) services must engage with their suppliers:
“The new general data protection regulation will soon be upon us. For any businesses using credit reference agency (CRA) services, whether it’s credit checking or identity verification to help fight fraud, urgent steps must be taken to ensure these services can be maintained.
“Data sharing between lenders and CRAs and other authorised organisations helps consumers access appropriate products, receive relevant communications and better manage their finances. Any businesses which share credit data that haven’t yet engaged with their CRA must do so as a matter of urgency, as it’s essential that they direct customers and prospective customers to the right information on how their data will be shared with and used by CRAs.
“To maintain the public’s trust and facilitate the ongoing sharing of data, the industry must make sure privacy notices are compliant and consumer friendly. Equifax has worked closely with other CRAs to launch an industry-wide Credit Reference Agency Information Notice (CRAIN)* which provides standardised wording defining the standards that all three CRAs will apply when processing consumer data. CRAIN supports GDPR’s drive to enhance consumer rights and transparency over their data, providing clarity over the role of CRAs in the financial industry.
“Businesses sharing data with a CRA must use or signpost customers and prospects to CRAIN, to ensure they receive clear and consistent information about how their data is managed. For new customers, clear direction at the point of application is important; a link to access CRAIN at a later date is not acceptable.
“The following steps must be taken for each application to ensure a prospective customer understands how their personal information is used and kept safe, and their rights to access, control and correct information held on file:
With 23 days until GDPR comes into force, Steve Martin, Data Protection Officer at Equifax, explains why businesses using Credit Reference Agency (CRA) services must engage with their suppliers:
“The new general data protection regulation will soon be upon us. For any businesses using credit reference agency (CRA) services, whether it’s credit checking or identity verification to help fight fraud, urgent steps must be taken to ensure these services can be maintained.
“Data sharing between lenders and CRAs and other authorised organisations helps consumers access appropriate products, receive relevant communications and better manage their finances. Any businesses which share credit data that haven’t yet engaged with their CRA must do so as a matter of urgency, as it’s essential that they direct customers and prospective customers to the right information on how their data will be shared with and used by CRAs.
“To maintain the public’s trust and facilitate the ongoing sharing of data, the industry must make sure privacy notices are compliant and consumer friendly. Equifax has worked closely with other CRAs to launch an industry-wide Credit Reference Agency Information Notice (CRAIN)* which provides standardised wording defining the standards that all three CRAs will apply when processing consumer data. CRAIN supports GDPR’s drive to enhance consumer rights and transparency over their data, providing clarity over the role of CRAs in the financial industry.
“Businesses sharing data with a CRA must use or signpost customers and prospects to CRAIN, to ensure they receive clear and consistent information about how their data is managed. For new customers, clear direction at the point of application is important; a link to access CRAIN at a later date is not acceptable.
“The following steps must be taken for each application to ensure a prospective customer understands how their personal information is used and kept safe, and their rights to access, control and correct information held on file:
Explore more articles in the Finance category
