Businesses that breach GDPR after it takes effect on May 25 could be on the receiving end of multi-million pound penalties.
As a result, financial firms are worrying about what they can and can’t do with data, Sue MacLure head of data at Psona said.
But in reality, firms that already follow existing data protection acts are likely to fall broadly in line with GDPR, according to MacLure.
For example, businesses are already obliged to keep customer data safe and secure, while seeking various permissions for use.
The aim of GDPR is to shift company mindsets to use data in a manner that clients and customers would expect and consider fair.
As well as, eradicating the overuse or misuse of data; information should be used for the purpose of what it was provided and nothing else.
This essentially translates as treating customer information with a common-sense approach that your Mum would expect, rather than your boss, MacLure told Mortgage Solutions.
Pare back your data
Borrowers give brokers vast swathes of information as a result of the detailed mortgage process. Most of this data shouldn’t be held too long after a mortgage has completed, according to MacLure.
Advisers should think about how they would defend keeping information if they had to.
She said: “Why would you keep information for more than three months?
“Would the borrower get a mortgage approved on the same basis in 12 months?
“I would compare it to how long you would expect someone to hold a CV on file – it’s out of date within a year.”
Instead brokers should keep the bare bones of information, such as contact details, date of deals and a broad bracket of value of the mortgage, MacLure said.
But, crucially, the data stored can vary from client to client – depending on the relationship and expectations in each case.
Speaking at the Legal and General Quality Awards, MacLure explained this can be affected by generation or circumstance.
She said: “The information commissioner is not going to give any of you rules… It is guidance around ‘you must use your customer data in a way that is appropriate for your receiving audience’.
“What is appropriate will be different depending on who your receiving audience is and the message you are giving.
“That is the thing that has caught people out throughout the instigation of GDPR.”
For example, for a broker this could mean holding more data on long-term clients where there is a good relationship in place, and where they have given consent.
MacLure added: “GDPR is a stop and think about how you have behaved in the past – and question whether you behaved reasonably, not what your boss said is reasonable, but what your mum says is reasonable.”