Previous customers could flood lenders and brokers with so-called Subject Access Requests (SAR) as increased awareness about the data act gradually takes hold, according to Julie Evans from solutions provider Exonar.
The large amount of personal data gathered during the mortgage application process means brokers could get into difficulties putting together detailed reports.
Small companies operating without compliance departments or large automated IT systems face the biggest challenges in preparing for the new rules, Evans warned.
A high profile data breach, such as the Equifax breach, could typically trigger a deluge of consumers to question the exact information companies are holding.
Financial services companies are set to receive millions of requests, as consumers demand companies reveal the depth of information held on them in exchange for other attractive services they want, Exonar research showed.
Evans said brokers should be planning how to adhere to the GDPR, which takes hold in just six months.
Speaking to Mortgage Solutions, the Exonar chief operating officer said: “The mortgage broker industry is going to be heavily impacted, because you hold and ask for such a rich amount of data.”
Delete almost everything
Brokers must consider how long and what exact information they are holding on individuals ahead of the rules.
When GDPR takes effect, companies will be required to detail all data held in reports that could run for hundreds of pages, Exonar’s research suggested.
To minimise business upheaval from the regulation, Evans said brokers should look to delete almost all information on a customer shortly after their mortgage has completed, outside of statutory requirements.
She added that “robust timescales” should be in place for erasing personal information, including employment details, income, outgoings and other household information.
Evans told Mortgage Solutions: “Potentially delete everything.
“Ask the customer’s permission to retain contact detail data and continue to hold a relationship with them.”
She added: “I can’t see why [brokers] should need to keep information for longer than a month.”
Evans said: “Start a policy and then adhere to that policy… [brokers should] be clear about what data they are holding, defining it, and creating operational processes.”
The Information Commissioner’s Office (ICO) has put together 12 steps for companies to take in preparing for GDPR.
Evans added: “Companies often ask us how they can predict how many SARs they will receive.
“It’s an impossible task as so much of it will come down to consumer awareness.
“Businesses really do need to make the most of the remaining months to get their data house in order.”
Peter Williams, executive director of IMLA, said: “Many firms have this on their agenda and talks are also in progress between broker and lender trade bodies to help ensure the mortgage market is ready for GDPR in May 2018.
“The market is no stranger to new regulatory requirements, and there is a collective will to ensure the necessary preparations are made to implement these changes.”
Toni Smith, business operations director at First Complete and Pinks, added: “As a network we are aware of the far reaching consequences that the new GDPR regulations may have on brokers.
“We want our brokers’ businesses to be prepared come May 2018, so we are supporting them by running a series of educational workshops to guide them through the various requirements.
“We have been actively sending out communications on the upcoming regulations and our various workshops on GDPR are currently taking place for all our brokers to attend.”