Re: What Exactly Was The Breach ???
"They are going to have to seek EXPLICIT consent for absolutely everything they store, and it ain't going to go down well."
This is a common misconception. GPDR, like the DPD before it, provides six Justifications for processing personal data. Consent is just one of those justifications. CRAs typically rely on:
- Contractual necessity (e.g. your bank make it a condition of opening the account)
- Legal obligation (e.g. compliance with fiduciary duty/due diligence legislation; remember they're a regulated industry)
- Public interest (i.e. it's better for everyone if lending decisions are made on accurate information)
and failing all else, the "legitimate interests" justification, but this is problematic as it requires a full privacy impact assessment rather than just a tick in the box.
They neither need nor want your consent.