How loans websites can get GDPR ready

In what ways can loans websites become GDPR ready? Here, we take a look.

UK business owners, websites and organisations will have to start adhering to the requirements of the EU General Data Protection Regulation (GDPR) that officially come into force on May 25th 2018.

GDPR is designed to increase data privacy laws across Europe (as while the UK is leaving the EU, it still adopts incoming EU legislation after Brexit) as well as reshape the way websites and companies approach data protection.

The financial consequences of not becoming GDPR complaint once the new legislation comes into force are significant, and could sorely affect the online loan industry.

For loan websites and specifically brokers who fail to meet the new standards on data regulations, could face a fine of up to 20 million euros (previously capped at 500,000 euros) or the equivalent of 4 per cent of turnover, whichever is the greater amount. But in what ways can loans websites become GDPR ready? We take a look at some of the ways how.

Website forms

To make a loan website GDPR complaint, any forms on websites will no longer be allowed to have pre-ticked boxes on forms. This is because it is not considered as actual consent, instead you will need to provide an opt in tick box.

Potential applicants and customers should also have a very clear understanding of what happens when they submit their details. This is a particularly grey area for comparison websites and brokers such as and All The Lenders who do not you deal directly with the user, but recommend the loan products of others. So whether applying for a mortgage or short term loan, the journey for the customer needs to be much clear, with customer data being sent to multiple companies as a last resort.

Add encryption

It is encouraged that all loans websites have an SSL (a Single Socket Layer) certificate (you will know whether or not a website has a SSL certificate as you will see a ‘padlock’ symbol visibly present). It gives you a https in the address bar which makes your content secure between servers online and therefore helps to reduce the threat of security attacks and data breaches.

This is particularly important for companies who accept online payments on their websites, and therefore will most likely be using some form of payment gateway for these transactions, and who could be collecting personal data before they are being passed onto the payment gateway, making SSL encryption almost certainly needed.

SSL certificates for a website are not the only ways to increase security and make a loan website GDPR compliant. For example, having specific IDs for customers can also help. his means that should a data breach occur, the exact name of the customer will remain unavailable to scammers as their data will be protected under a specific ID.

Detailed privacy policy

Many, if not all, loan websites store personal details of users after their information has been processed, under GDPR, privacy policy will need to be modified prior to the implementation of the GDPR in May.

The policy itself should detail fully exactly how long they will be storing data for, as well as introducing web processes so that all personal information is then removed after a certain amount of time (e.g after 90 days), this means that a loan website will also have to remove this information if a customer requested that a company does so.


The use of cookies should also be stated in the privacy policy as well as the type of information that will be collected as well as what that information can be used for. Under The Privacy and Electronics Communication Regulations 2011 it became law to require the acceptance of cookies from users, but they can also opt out of cookie tracking via their browsers privacy settings.

Notifying about data breaches

Under these new EU regulations, it will now be a duty of all websites and organisations to report particular types of data breaches to the Information Commissioner’s Office website (ICO), or the company could receive a huge fine.

Removing data

Until now, loan companies and providers would also keep old applicant’s details on file, even if they were declined. Whilst there was no obligation to delete their information, this is now compulsory if the customer requests that you do so. As a lender or broker, if someone asks to be removed from your database, you must do so under new GDPR legislation and there must be no trace left.

Looking for finance? is working in partnership with trusted lenders to find the best business funding deals. Find out more here.

Ben Lobel

Ben Lobel

Ben Lobel was the editor of from 2010 to 2018. He specialises in writing for start-up and scale-up companies in the areas of finance, marketing and HR.

Related Topics


Leave a comment