Mary Dryden is business development director at 360Dotnet
The exception of surprise birthday parties, we shouldn’t do something on behalf of or to an individual without their knowledge or permission. This is hardly a revelation but somehow when this comes to our personal data, data used to identify us directly or by matching against accessible sources, we seem to accept that organisations play by a different set of rules. This could be the product of sneakily hiding permissions in pages of terms and conditions, reliance on customer inertia to explicitly opt-out or that many simply accept a “pay to play” attitude and acknowledge that our personal data is now just a commodity.
In May 2018, how organisations use personal data is going to fundamentally change by removing ambiguity and making the process of how businesses record our consent to processing transparent and accessible. This means capturing certain consent outside of terms and conditions, in simple and understandable language and where the individual has to explicitly opt-in. The downside is that companies, including those in the mortgage sector that process personal data, will radically need to review their activities to capture and monitor consent depending on the activities they perform.
Surprisingly this is unlikely to change the core activities of a mortgage intermediary in terms of collecting data, processing applications, sourcing through third parties, appropriate communication, placing with the lender, etc. Those are ultimately consistent with the legitimate service an intermediary provides. Where consent becomes a requirement is where that data processing is not consistent with the original service, examples would include being marketed about other products, passing that personal information onto “trusted partners”, profiling and processing that is outside of reasonable expectations.
But here’s the kicker – if haven’t got that consent post May-2018, you cannot legitimately perform such activities and the consequences will be huge!
If we consider that an adviser’s client bank is their most valuable resource, it’s likely to become worthless outside of the legitimate reason to contact that individual, i.e. contact about the actual products sold and only while that product is active. Traditional tactics of “blooding” new advisers by contacting old customer lists still need consent prior to contact, and if that list has been sourced via a third party, new consent must be sought unless the originating company explicitly named the intermediary when collecting consent.
With the previous Data Protection Act, it was possible for companies to act in accordance with the legislation by simply “not being evil” (sociopaths notwithstanding). The GDPR changes this for companies to become “legitimate” (in the processing of personal data) with a far greater nuance of the rights and privileges of the individual. This places a huge responsibility on organisations to gain verifiable consent prior to the GDPR implementation for activities that are not consistent, otherwise the value of an intermediary’s greatest asset, its client bank, will be reduced.