Intermediaries are concerned about the new General Data Protection Regulation coming into force in May, Mortgage Introducer research in partnership with 360 Dot Net has found.
The changes will mean customers need to ‘opt in’ to their personal data being used, while they can also request to have it deleted or removed if there’s no reason for it to be held.
Advisers are most concerned about these aspects of GDPR, with nearly half (46%) worrying about obtaining consent from individuals and two in five (41%) over the erasure of data. A further third (31%) are worried about training staff and internal processes.
Three in five (61%) brokers are concerned about meeting GDPR requirements.
Mark Dryden, business development director at 360 Dot Net, said: “There are a lot of conflicting signals about the GDPR at present.
“There is a lot of good and pragmatic commentary about how organisations should conform with the regulation.
“Understandably technology will have a significant part to play in this whether it is the storage of data, handling consent preferences or responding individual requests.”
Advisers are divided on how they should meet GDPR requirements: 20% anticipate their network handling things, 23% expect to get clued up through staff training and 28% think their CRM solution will handle the changes.
A third (31%) of advisers expect GDPR to be the biggest challenge of 2018, as three in 10 (28%) are concerned about regulatory requirements from the Financial Conduct Authority and one in five (20%) are looking to update internal security.
Dryden added: “Staff training will be more a modification of existing data protection training with some understanding of the more reactive rights of an individual, for example: subject access requests can no longer be charged for and must be processed within 30 days.
“The erasure of data is probably going to remain a contentious issue as different interpretations are put forward – I suspect the reality will be more practical and within a well-regulated environment such as financial services, if any advice or guidance has been provided, advisers can fall back to the regulatory demands defined by the FCA (and their own risk procedures).
“It is not surprising that consent is a primary concern to process individual data and perform non-complimentary tasks.
“There’s a balance between what the individual is expecting as part of the service an adviser provides and what falls outside of that, the latter ideally needing consent.
“An example would be marketing consent, especially if your electronic records do not allow you to distinguish between clients you’ve transacted with and those who have fallen by the wayside.
“Obtaining consent is the simplest and strongest method of gaining unambiguous individual intent as opposed to leaning on legitimate interests where the strength of consent might be woolly, especially if an individual failed to proceed or explicit consent was not gathered during the initial data collection.”