THIS IS THE FIRST OF
A TWO PART UPDATE ON GDPR FOR MORTGAGE INTERMEDIARIES. THE SECOND PART WILL BE
ISSUED BEFORE 5th JANUARY
2018.
There is a lot of activity in relation to GDPR in the industry at the moment as well as
almost everywhere else! It is hardly surprising, as the new data protection rules coming in in May 2018
for the European economic Area (EEA) are probably the most far reaching on the
planet. Brexit will have no bearing on
the changes coming in and so the new rules are no doubt here to stay.
So what has to be
done? Below are a few things that we need to do.
Carry out a data mapping exercise.
This is not as heavy as it sounds. Basically, we just need
to establish where you get data from, how you process it and who you pass it to
(and whether any of these locations are outside the EEA). There are a number of
convolutions around this but I will be providing some guidance on this during December,
together with a basic model for a mortgage broker that should fit most firms.
The reason for the data mapping is to carry out an audit on
where personal data goes so that you can identify who and where and then check
that these potential data processors on your behalf are registered and tooled
up to handle data (in terms of competence, security and back up). The model
that I will produce should cover most of the firms or types of firm that you
will be dealing with and if there are
any outside this, then we can discuss separately.
Data mapping also allows us to improve the completeness and
coverage of our Privacy Statement (see below).
Privacy Statement and Consent
GDPR is going to require you so set out and explain to your
clients who is processing their data, how you will process it and for what
purposes, who you will share their data with, their rights and how you will
keep their data safe. This is best done by documenting a Privacy Statement.
This could be a standalone document or it could be incorporated into your
Initial Disclosure Document (IDD). Although you don’t technically have to get
the client to sign your Privacy Statement, you are required to keep a record of
the fact that you have explained the key information required by GDPR and this
is best demonstrated by getting a signature or email confirmation of receipt.
Under the existing rules, your client consents to you
processing their data by the fact that they have contacted you to arrange a
mortgage or insurance for you (and a member of staff, where applicable, by
becoming your employee, Appointed Representatives and Introducers also). Under
the new rules, the consent has to be evidenced. This could be a record that a
conversation has been had and a Privacy Statement issued when combined with
documented procedures that explain how consent is to be obtained and training
for appropriate staff. However, the safest way to evidence consent is by having
a document signed or otherwise uniquely confirmed (e.g an email) by the client.
Such evidence could be a signature on a copy of the Privacy Statement or on a
suitably documented IDD. It could also be a confirmation of some form contained
within an email from the client’s personal email account. It should be noted
that where one client is signing on behalf of a joint application there is a
potential exposure if the other party then claims that there was no permission
to sign on the other persons behalf. Suitable wording for joint applications
could in part address this but it is recommended that where possible, all data
subjects document their consent. As an aside here, there is a potential issue
for adults living in the property to be mortgaged because their data will also
be recorded in your files even to the extent that it is
only name, age and address details. Therefore, where you are processing data
relating to adults who are not party to the mortgage application but are
resident or in any way involved in the transaction (another example would
be dependents or members of the family
in Lifetime Mortgages) you will need to be
able to evidence that they have consented to processing their data in
the same way. Please refer to the section below for further details. Web pages
will also be dealt with below.
I have produced a
sample Privacy Statement and will be
issuing this document shortly. It will also be available
from 1st January in the MI System.
Initial Disclosure Document
Rather than issue two documents to a client, I would suggest
that the existing IDD is expanded to incorporate the Privacy Statement. I
believe that the Data Protection part should be visually separate from the IDD
text but signature of the single
document could be taken for signature of
both parts. Many firms still obtain signatures on the IDD as part of routine
processing and so this will not be a big deal in most cases. I would emphasise
that the date of the signature is also important as this is the date that the
client consented to processing their data. This could mean that it is possible
that you may begin recording client data before they have signed a consent but
that can be delat with by making sure that the client is aware of the matter at
the start of your conversation. The fact of issuing an IDD including the
Privacy Statement within say 5 working days should be adequate to satisfy GDPR as long as some
verbal explanation has been given at the outset.
I have produced a
sample IDD in the form of a Terms of Business Letter as I do not believe the
old IDD format originally put forward by the FCA is appropriate to comply with
the GDPR requirements. Firms currently using the old style IDD should consider
moving over to a Terms of Business in order to streamline their process. ICOBS
allows a terms of business letter for insurances as long as it includes certain
key data and the TOB that I have documented is also designed to comply with the
current insurance disclosure requirements. It will also be available
from 1st January in the MI System.
Appointing a person responsible for Data Protection and
undergoing training within the firm
GDPR requires that each Data Controller which may be an
individual or a firm depending upon corporate status) appoints an individual
with responsibility for Data Protection. That is no particular issue in its own
right but with the new rules on their way some time next year for Senior
Managers and Certification (SM & C), it means that there will need to be a
robust document and that the individual will have been appropriately trained
and competent. For most small firms this will not however be an issue as the
sole Director, proprietor or senior partner will be the named person. Training
can be in any form. This document in its
own right is a training document and, if you use the MI system, will be
recorded in your training log there.
Where there are any other persons in the firm, all of them
will need to be trained in the new rules. Whilst this document deals with much
of the new requirements , a further GDPR Training Session will be issued in the
new year and made available through the MI system for training to other members
of staff. A recommendation would be that all staff, directors and business
partners are trained, including Ars where applicable and their staff. It is
also recommended that any introducers of business are provided with a suitable
update (the Training Document to be provided at a later date, for example).
No comments:
Post a Comment