This is the
first of a series of CPD updates on the new requirements for Data protection
coming in in May 2018. I am keeping them short and to the point to make life
easier for you. This document is basically saying that you need to have a
Privacy Statement in place and that it should be issued to clients from within
the initial disclosure document. The deadline for having this in place is 25th
May 2018 but don’t let that date fool you.
Data Protection
is going to be one of the biggest regulatory issues facing UK mortgage and
insurance firms in 2018. GDPR (General Data Protection Regulation) ls an EU
directive that will apply in the UK from 25 May 2018. The government has
confirmed that the UK’s decision to leave the EU will not affect the
commencement of the GDPR.
It is going to
be a big issue for a number of reasons.
Firstly, it is
going to introduce the need for data subjects (your clients) to provide
informed and unambiguous consent to the holding and processing of their data.
This means that the client has to be told what you will do with their data, who
it will be passed to , who the data controllers are and a number of other
matters. Unambiguous consent differs from what we have now because it will
almost certainly require something written down and signed or confirmed (by an
action online for example) from the client before you can begin to process
their data. Silence, pre-ticked boxes or inactivity by the client will not be
sufficient to demonstrate consent.
In addition,
along with Data Subject Access Rights (DSARs), clients will need to be told
that their consent for your firm to process data can be withdrawn at any time.
Children’s data becomes an issue although probably not a major one for brokers
as information about dependents will invariably be provided by their parents.
Secondly, the
penalties for data protection breaches are increasing and there will invariably
be a rash of very public enforcements of firms of all sizes in the early days
to encourage the others. That is exactly what we saw from 2004 when the FSA
took over regulation of mortgages and we should expect a repeat for Data
Protection.
Thirdly, we have
at last a bullish Information Commissioner who seems very keen to make a mark.
We have over the past few years even under the existing rules, seen a
significant increase in enforcement activity on firms across various
markets and this will most certainly continue.
So what does
this mean for mortgage and insurance intermediaries?
It is early days
but we need to start thinking about the actions to take. The most obvious one
is that of disclosure to clients. Currently many firms still use the Initial
Disclosure Document designed originally by the FSA (albeit now without the Key
Facts logo). It was a document fit for purpose but in its current form it is
inadequate to deal with the GDPR. So, step one is for you to consider moving to
a Terms of Business letter that covers both your regulatory disclosures and
your data protection obligations. For those of you who use my MI System,
there is an example of a terms of Business in the Library (although it does not
address GDPR at the moment).
At the present
time, what a good job looks like post 25th May is a Terms of
Business letter that satisfies Mortgage Credit Directive requirements, covers
the new Insurance Distribution Directive requirements (the subject of another
CPD update) and includes a full Privacy statement for GDPR requirements. This
document to be signed by clients or otherwise confirmed by some form of email
or electronic wizardry.
The next article
on Data Protection will look at the definitions and extensions to the meaning
of information and the types of processing mortgage and insurance
intermediaries typically undertake in order to see if we have any issues and
concerns post 25th May 2018.
