For the last year, buzz about the European Union’s General Data Protection Regulation (also called the GDPR) has been nearly nonstop. This unique EU law took effect in May of 2018 and has startling cross-border implications for any company whose work may touch data related to citizens of the EU. The GDPR has the potential to change day-to-day practices in nearly every industry as companies move towards compliance, but it may have an unexpected impact on parties in the mortgage industry who hold data relating to overseas borrowers.
The GDPR creates stringent privacy requirements for sweeping categories of what it calls “personal information,” which includes items as basic as names and addresses. Even if an entity doesn’t regularly deal across borders on a large scale, a single item of covered data could bring any organization under the GDPR umbrella. International mortgage applicants, for example, could put your organization unwittingly at risk under the GDPR. Any company which collects data from a citizen of the EU that is obtained while that person is in the EU is subject to the GDPR. That means that an EU citizen could fill out a mortgage application online while physically in an EU country and automatically subject your organization to the GDPR’s various requirements. Even if the international applicant didn’t directly submit the data to your organization, any future receipt of protected data may still put the holder of the data in the GDPR’s path. This means that companies that receive data from outside vendors or other sources may still need to comply with the GDPR.
Fines for GDPR violations have the potential to be substantial, with some violations carrying fines of up to 4% of an organization’s annual revenue or €20 million, whichever is higher. If you think your organization might be subject to the GDPR, you’ll need to take certain actions. Your company will need to assess each item of incoming data to determine where it came from and if its source presents a GDPR issue. If you’re in possession of GDPR-covered data, you’ll need to ensure that you comply with its requirements including obtaining active consent to data storage, implementing data accessibility protocols, and reporting any relevant security breaches.