Cover feature: Are you GDPR ready?

With the new General Data Protection Regulation due to come into effect this month, what does this mean for brokers — and how prepared are they for what lies ahead?

Facebook, Google and other web giants are not the only firms in the data spotlight this month. In fact, every business that processes the data of people who live in the European Union – including UK mortgage brokers – must comply with new rules to safeguard that information.

From 25 May the new EU-wide General Data Protection Regulation comes into effect, replacing the UK’s Data Protection Act of 1998.

Though GDPR involves updating privacy policies – and possibly some sleepless nights for compliance departments – the general message from the mortgage industry representatives that Mortgage Strategy spoke to is that many GDPR requirements are common sense and already in practice. However, some brokers have left their preparation a little late.

The key aim of GDPR is to give more control back to consumers over the use of their data, and to prevent firms such as Facebook from passing on sensitive information without people’s knowledge, which made international headlines when it happened recently.


The fine for breaking the rules from the Information Commissioner’s Office – which polices data protection in the UK – can be up to €20m (£17.5m) or four per cent of annual turnover, whichever is higher. This is a substantial increase compared to the maximum £500,000 fine under the former DPA.

“The regulation will not prevent brokers giving advice,” insists London & Country director David Hollingworth. “However, they will need to understand their responsibility for that data and be able to demonstrate compliance.”

Coreco marketing manager Aisling Miller agrees: “With the recent Facebook/Cambria Analytica saga, I believe this is a step in the right direction.

“If brokers focus on being clear and jargon-free when discussing how their clients’ data is used, they are unlikely to be a focus for the ICO.”

In fact, the ICO insists firms compliant with existing data protection legislation are already a long way towards being GDPR-compliant.

There are many similarities between the Data Protection Act and GDPR, though the latter goes further.

It includes a ‘right to be forgotten’ whereby people can ask companies to delete their data. It also states consumers must always be asked to opt in to their data being used.


Other changes include the need to notify authorities quicker if there is a data breach and to provide a customer with access to their data for free if they submit what is called a ‘subject access request’. Currently, firms can charge £10 for the service.

Hollingworth adds: “Customer permission is already required to market to them. GDPR only underlines that need for permission.”

If brokers focus on being clear
and jargon-free when discussing how their client’s data is used,
they are unlikely to be a focus
for the ICO

Of course, GDPR rules are broad as they cover every EU industry in which a customer’s data is used. Therefore, how they are used in practice may seem a matter of interpretation in many cases, although brokers will need to be able to present documented reasons for why any such process has been employed.

Intermediary Mortgage Lenders Association executive director Kate Davies says: “Firms must make their own decisions regarding what is reasonable, and be able to justify them.”

If the process was carried out correctly, experts state the rules do not stop a broker who first sourced a mortgage from marketing to a client when their fix or tracker is set to expire.

Association of Mortgage Intermediaries chief executive Robert Sinclair says: “The key is getting permission to tell a customer what you will do with that data, so there is little issue with marketing if there is consent.”


Miller insists Coreco, for example, already includes notice of future communications in its contracts: “When a client comes to us they enter a contract which ensures we are legally able to contact them when their product is expiring. The client can opt-out at any point.”

One school of thought is that, as mortgage advice does not end at the point the first mortgage is sourced, a review by the broker when that deal expires is a natural continuation of that advice journey, and is not even marketing. Nevertheless, it is still wise for brokers to ask for permission to make that approach.

“Marketing permissions are different to the communication that customers will agree to as part of doing business with the broker,” Hollingworth says. “It will make sense to think about what is part of the business process and what amounts to marketing.”

Being able to contact a customer for a mortgage review does not just throw up the issue of requiring consent for the approach but also to hold that data – such as contact and mortgage details – for the required number of years.

“You will need to explain your lawful basis for processing the data and your data retention periods,” the ICO states.

However, brokers have been advised to delete data when it is no longer needed.

Julie Evans, chief operating officer at data consultancy Exonar, explains: “If a broker has a client who comes back at the end of their fixed term to search for a new deal and has been doing so every two years for 10 years, do you need the information from 10 years ago or is it only the latest deal that is relevant?

“Similarly, if you haven’t had any response from a client for 10 years and your emails are deleted without being read, is it relevant for you to keep contacting them?”


Another key step for brokers is to retain evidence of what their client agreed to.

Davies explains: “It will be up to lenders and brokers to keep their records up to date with what the customer is happy to receive and in what form.”

The key way to gain this consent is via what are known as Privacy Notices: those long terms and conditions few people actually read when signing up to products or services.

The Econsultancy website, a community for the marketing industry, says privacy policies “may still be long and unwieldy, but users must be made aware of the salient facts in an easy-to-read notice at the point of consent or data collection”.

Miller adds that in such documents brokers must be “honest about why, what and how customers’ data will be used through a jargon-free privacy policy”.

This means that the key facts of how data will be used cannot be buried at the end of a 100-page document.

Econsultancy adds: “A link to your crazy-long privacy policy during registration will likely not do the trick.”

If a customer comes for a mortgage there is no problem marketing to them about mortgages – the problem comes with protection or other insurance products

Another no-no is having to untick a box to opt out of future communication, a practice already outlawed by the FCA when selling insurance.

“It means no pre-checked boxes and making it clear what types of permissions customers are giving,” Hollingworth says.

Even if a broker does not get consent to keep a customer’s data, experts state they do not need to automatically delete it as they may need to refer back to key documents if their firm was to come under investigation.

Sinclair says this is a common issue brokers ask AMI about.

“We get questions on the right to be forgotten but we don’t believe there is a right to be forgotten in this case,” he says.

Indeed, the ICO states the right to be forgotten “is not absolute and only applies in certain circumstances”.

Sinclair adds: “If there is a regulatory reason for retaining data then you can, but it must be relevant data.

“For example, a broker can keep all data of the fact-find and evidence to justify why they came to a decision.

“A broker would need to have a policy to say which data they will keep and for how long. A broker may want to keep P60s and payslips for a few months but other documents for longer.”

Be specific

Another reason for keeping data is to comply with anti-money laundering rules, according to Davies.

One activity banned under GDPR is gaining permission to market for one product, then trying to sell a different one.

The ICO says in its guidance to firms: “Be specific and granular so you get separate consent for separate things.”

Sinclair adds: “If a customer comes for a mortgage there is no problem marketing to them about mortgages. The problem comes with protection or other insurance products. They need to have asked permission to do this.”

Amid all the talk about what brokers should and should not do, a big question is whether they are prepared for GDPR, especially smaller firms that operate without dedicated compliance departments.

Sinclair points to AMI research which shows that all the brokers it polled are at least aware of GDPR requirements.

In an AMI member survey in March which asked how ready brokers are for GDPR, all respondents said they had heard of it, and 92 per cent that they had started preparation. The remaining eight per cent said they planned to start work on GDPR in April.


“Brokers seem engaged which is positive,” Sinclair says. “The market is aware of the issues but whether it will be fully compliant is another matter.

“However, the ICO doesn’t expect all firms to be ready on day one as it says it is a complex process.”

While Sinclair is calm about the 25 May launch date, there is a warning from the ICO in its official guidance: “You may find compliance difficult if you leave preparations until the last minute.”

Evans adds: “If the mortgage broker market is like the other industries that we work in, preparedness will vary wildly.

“It should be a priority for brokers to pro-actively make decisions and take action on their data estate, including understanding what they hold and why.”

Another use of that data estate is the passing of sensitive information from broker to lender. Unsurprisingly, the consensus of opinion is that GDPR does not prevent that, given it is a fundamental part of the mortgage process.

Davies says: “The individual will understand that the lender needs certain details to approve the application. GDPR doesn’t change this. Lenders should make clear to brokers what information they require so the broker only passes on what is needed.”

Meanwhile, lenders’ representatives are confident that banks and building societies are prepared for GDPR with Davies and a UK Finance spokeswoman saying its members are ready.

So with the key parts of the mortgage industry saying they are prepared for GDPR the signs largely look good, even if some are cutting it fine.

Given most agree GDPR is simply putting common sense into practice, it would likely take a huge mess-up for a fine of £20m to hit the mortgage market, though errors do happen.


Opinion: GDPR compliance within our grasp

It’s almost upon us. In May, the General Data Protection Regulation will finally come into force. These new rules will aim to harmonise data privacy laws across the EU, boost individual rights and introduce eye-watering fines for failures (up to £17m or 4 per cent of a company’s global annual turnover). As a result, it […]


Fears that new EU rules will drain firms’ resources

Mortgage firms are concerned that EU legislation due to come in before Brexit is completed could be an unnecessary drain on resources and could put businesses in danger. A raft of new rules are scheduled to come into effect over the next two years, including the EU General Data Protection Regulations, and brokers have suggested […]


Almost nine in 10 employers admit failings with post-DRA compliance

The default retirement age (DRA) was abolished more than three years ago, yet new research from Jelf Employee Benefits suggests that the vast majority of employers still have some way to go to fully understand, comply and communicate the landmark legislation change that prevents older employees being forcibly retired on the grounds of age alone.


News and expert analysis straight to your inbox

Sign up