Coming into effect in May 2018, General Data Protection Regulation (GDPR) expands on the existing UK Data Protection Act and introduces a new level of accountability for any organisation handling personal data, and the potential of greater fines for non-compliance.
But what does this really mean?
Like it or not
Essentially all businesses who process personal data of EU citizens have to comply with GDPR. And the uncertainty surrounding Brexit is certainly no reason to ignore this or think rules could be changed or diluted anytime soon.
If and when the UK leaves the EU, the government has already said that it intends to comply with GDPR and maintain data protection protocol in order to be able to trade with the EU. This is evidenced by the acknowledgement of the Data Protection Bill in the Queen’s Speech in June.
So, like it or not, this will happen and it’s important for all firms to be aware of its implications. However, it appears that many UK mortgage advisers are not yet fully up to speed. Research from Mortgage Brain recently found that 81% of respondents haven’t started to implement the new regulations and 35% weren’t even aware of the new rules.
It also showed strong variations in the awareness of GDPR depending on advisers’ locations. In London for example, 50% of respondents said they were unaware of the new rules, compared to 34% in Birmingham, 30% in Winchester and 25% in Manchester. It’s tricky to decipher why there are regional variations but it’s clear that we, as an industry, need to raise awareness surrounding this subject sooner rather than later.
Firms of all shapes and sizes should at least be familiar with what is required to comply with all relevant GDPR provisions. Inevitably the impact of GDPR will be much more evident for larger consumer facing organisations. This is mainly because of the size and scale of their systems and in some instances the complexity of the personal data processing activities undertaken.
However, even the smallest of service providers will be required to integrate robust procedures to meet with the new regulations – and that includes intermediary firms.
As an industry we are used to change and having to adjust to regulatory and policy shifts. GDPR may well lead to some administrative burdens, potential cost implications and the engagement of differing levels of external support or additional internal training but, looking on the brighter side, opportunities could also emerge.
Existing client banks consist of an abundance of potential leads, retentions and referrals. Having said that, they can often be the most under-utilised part of any business – so why not use this upcoming deadline as a trigger to identify how GDPR enhancements can help maximise the data you already hold.
Getting to grips
The first step is to get to grips with the full implications of GDPR. Then undertake a data audit or data mapping exercise.
This will help gain a better understanding of the data you hold, why you hold it, and any potential opportunities for utilising the data in accordance with the GDPR. Understand how data has, or more to the point hasn’t, been utilised in the past. Reflect on successes and learn from failures when adopting new strategies.
And finally, don’t forget that help is out there though a variety of resources. A good place to start is the ICO’s 12 steps to prepare for GDPR.
The deadline is getting ever closer, so try to embrace it where possible and whatever you do, please don’t ignore it.
Mortgage Solutions has also compiled a seven-step guide to prepare your business for GDPR compliance, which you can find here.