But what exactly are the new rules and what do they mean for you and your business?
The world is a very different place from 1995, which is when the last EU Data Protection Directive was brought in.
Thanks to huge advances in technology, personal data is much more accessible and free flowing than it was 20 years ago and these changes are designed to protect those whose data it is.
Although the GDPR won’t replace the Data Protection Act, it is requiring the Act to be changed. And no, any potential Brexit fallout will not stop these new rules from being implemented.
What are the changes?
They broadly cover two areas – much stronger rights for individuals and consumers to be informed about how organisations use their personal data, and the duty of organisations to report any data breaches within 72 hours.
For example, consumers will have the right to request that personal data be deleted or removed and if there’s no compelling reason for an organisation to carry on storing personal information, it must be deleted.
New rights around marketing consent, data portability and seeing what information is being held also come into play.
The requirements on consent have also changed. Rather than an assumption that a consumer who doesn’t say ‘no’ is automatically consenting to have their data used, there will have to be a positive ‘opt in’ in order for the organisation to gain consent.
And if client information and data is used for any purposes that are not consistent with the original aim, further consent needs to be gained. It must also be as easy to remove consent as it is to grant it.
It’s not just new client data either, personal data already collected and stored will be subject to the GDPR rules.
All these things have obvious resonance in the mortgage advice market, where the collection and use of personal and financial data is a massive part of the working day. GDPR, therefore, is not something that can be ignored.
What needs to be done?
First there are two pieces of good news. If mortgage advisers are currently complying with the Data Protection Act then they’re well on the way to complying with the GDPR.
Second, some mortgage tech companies have systems out in the market that will enable advisers to adhere to the required rules of GDPR, so if you use one of them, you’re again, well on the way to complying with the GDPR. If you’re not sure, a quick call to your systems supplier should give you the answer.
However, there are still compliance and procedure processes to sort out. For example, it is an adviser’s responsibility to ensure that how the data is collected (the issue of consent) and how it is used complies with GDPR.
It is also essential to ensure that data is sufficiently protected from hacking or other security breaches by installing strong enough security into your systems. Using anti-virus software is one step many have already taken but using encryption software is the next one needed.
All the above means that advisers may have to change their systems and procedures to comply with the new rules.
It is critical that everyone in the organisation who collects or handles data knows what their responsibilities are under the new rules and that, at least while the new systems are bedding in, sufficient monitoring takes place to ensure there are no breaches.
Why should you comply?
Apart from the fact that from May 2018 complying with GDPR will be a legal requirement and you could be fined the greater of €20million or up to 4% of your annual turnover if you don’t comply, GDPR can actually be good for business.
With more and more organisations falling foul of hackers, and more people’s data ending up in the hands of cold callers and the like, trust around data security is low.
If your customers believe that you are looking after their information and that they have control over how the data is collected and used, and assurances that it won’t fall in to the hands of a less than reputable organisation, they’re more likely to use your services.
In addition, using customer data more effectively means advisers can target the right customers with the right products that are right for them. Marketing should be better focused and bring improved results.
How can technology companies help?
In order to be certain they are GDPR ready, advisers need to talk to their technology suppliers and be reassured that their systems will enable compliance.
The best tech companies should also be able to offer advice on how to use those systems for GDPR. Have a look for some of the industry events and see what’s on the agenda. GDPR is a hot topic and those in the know, know.
Advisers that are not GDPR compliant when the new rules come into place will find themselves seriously hampered when dealing with new and existing clients.
My advice is to pin the responsibility for this on someone in your organisation, if you haven’t already, and make sure all is sorted well in advance of next May.
Mortgage Brain owns AE3Media, the parent company of Mortgage Solutions