The forthcoming EU Data Protection Regulation gives consumers a right to have their personal data permanently erased in certain circumstances, for example they withdraw their consent for it to be held and it is no longer necessary for the information to be retained.
Mortgage lenders and administrators may have a valid claim to be exempt from this in some cases, as details of previous customer applications and accounts could need to be retained for regulatory reasons or used in any future dealings with the same customer, for example to make a new credit decision if they apply for a loan in the future, or to help combat fraud.
However there may still be cases where the lender does need to remove all trace of the individual from their systems, and this could prove more difficult than it might appear at first.
For example, every database holding customer data is likely to be included in a programme of scheduled backups to tape or another storage medium. These backups can go back months or years, and are simply not designed to allow individual records to be removed while leaving the rest of the backup intact, presenting a major technical challenge for which there is no clear solution.
Personal information may also reside outside databases in a more unstructured format, for example in email correspondence, paper documents and scanned images. These could be difficult to track down and remove efficiently and reliably, particularly for paper archives that are held offsite.
Lenders also share customer data with third parties such as credit reference agencies and property surveyors. In the event that a customer asserts their right for their personal data to be erased, the organisation with which they shared the information data is expected to take reasonable steps to make sure the request is passed on.
The new regulations are due to come into force in May 2018, almost certainly too late to be affected by Brexit. Lenders should be acting now to put in place suitable arrangements to ensure that they can comply from this date.