Law Firm Alliance

News, Insights & Events

GDPR Basics for Mortgage Professionals

March 27, 2019

View Full Article

By Brian A. Nettleingham and Corinne S. Rockoff 

For the last year, buzz about the European Union’s General Data Protection Regulation (also called the GDPR) has been nearly nonstop. This unique EU law took effect in May of 2018 and has startling cross-border implications for any company whose work may touch data related to citizens of the EU. The GDPR has the potential to change day-to-day practices in nearly every industry as companies move towards compliance, but it may have an unexpected impact on parties in the mortgage industry who hold data relating to overseas borrowers.

The GDPR creates stringent privacy requirements for sweeping categories of what it calls “personal information,” which includes items as basic as names and addresses. Even if an entity doesn’t regularly deal across borders on a large scale, a single item of covered data could bring any organization under the GDPR umbrella. International mortgage applicants, for example, could put your organization unwittingly at risk under the GDPR. Any company which collects data from a citizen of the EU that is obtained while that person is in the EU is subject to the GDPR. That means that an EU citizen could fill out a mortgage application online while physically in an EU country and automatically subject your organization to the GDPR’s various requirements. Even if the international applicant didn’t directly submit the data to your organization, any future receipt of protected data may still put the holder of the data in the GDPR’s path. This means that companies that receive data from outside vendors or other sources may still need to comply with the GDPR.

Fines for GDPR violations have the potential to be substantial, with some violations carrying fines of up to 4% of an organization’s annual revenue or €20 million, whichever is higher. If you think your organization might be subject to the GDPR, you’ll need to take certain actions. Your company will need to assess each item of incoming data to determine where it came from and if its source presents a GDPR issue. If you’re in possession of GDPR-covered data, you’ll need to ensure that you comply with its requirements including obtaining active consent to data storage, implementing data accessibility protocols, and reporting any relevant security breaches.

Brian A. Nettleingham

(248) 359-7503 direct
BNettleingham@maddinhauser.com

 

Corinne S. Rockoff

(248) 827-1881 direct 

 

Maddin, Hauser, Roth & Heller, P.C.
28400 Northwestern Highway, Second Floor Essex Centre
Southfield, Michigan 48034-1839 | 248 354 4030 phone
Visit Firm Website | Visit Firm Law Firm Alliance profile


This article is for general information only and should not be used as a basis for specific action without obtaining further legal advice. 

 

© 2024 Law Firm Alliance . All Rights Reserved.