By now, many people have heard of the new General Data Protection Regulation (GDPR) from the EU. Some are probably sick of hearing about it. However, although the date when it will come into effect, 25 May 2018, is rapidly approaching, whether people have done anything about it is another question. It’s vital for those in the property sector and beyond to be ready for the changes when they arrive. Breaching the new regulations could result in a penalty of €20 million or 4% of a business’s global turnover, whichever is higher. This could be devastating for many businesses, particularly small and medium businesses that could be forced into insolvency by such a huge fine.
What is the GDPR?
If you’re not yet familiar with GDPR, it concerns new rules from the European Union regarding the storage and handling of consumer data. It applies not just to businesses within the EU, but any that have customers in the EU, regardless of where they are based. So a US company that handles the data of customers in the EU must also comply with the new regulations. GDPR has been created to address the inadequate data laws in the EU and to give more control to consumers. Under the new regulation, it’s easier for anyone to ask to see their data that a company stores, have it changed or have it deleted.
In the UK, there is a new data protection bill, which was published in September 2017. It will implement the majority of GDPR but also sets out some exemptions, as is allowed by the flexibility that individual countries have been given in how they put the new regulations into place. The UK has decided to set the age at which parental consent is needed to process personal data at 13, although other countries have set it at age 16. There are also protections for journalists, academic researchers, and anti-doping agencies.
Within the property sector, many businesses will now be hurrying to make sure they comply with the new rules. However, according to a report from law firm Collyer Bristow in October 2017, 35% of businesses in real estate and construction had no awareness of GDPR, which was higher than the average across all industries. Not a huge surprise though as many businesses in the industry have been laggards of technology however the use of smart devices has helped many get on board. In the construction industry there’s an even greater need for catch up with AI, Virtual & Augmented Reality, robotics and other systems being developed so data management and protection should be top of their priorities.
While more people are starting to become aware of the necessity to get ready for the GDPR, with only six weeks to go, is it too late? There’s still time to prepare and ensure businesses are complying with the rules, but there’s a risk that many in the property sector won’t be prepared when the big day arrives.
How Will GDPR Impact The Property Industry?
But what does GDPR mean in practical terms? Who is affected by it and how will it impact the property industry, including businesses such as real estate agents, property managers and landlords? The reality is that every business needs to check if they will be affected by the new regulations. No one can automatically assume it doesn’t apply to them, or they could end up getting in big trouble. Any property company that is a ‘controller’ or a ‘processor’ of personal data needs to comply with GDPR. Data is separated into personal data, which can include a large range of things, such as names, address, and even IP addresses, and sensitive personal data, which includes things like sexual orientation, religion, and genetic information. Property businesses are very likely to be handling the former and could be dealing with the latter in some circumstances too.
However, there are some GDPR rules that won’t affect the majority of property businesses. Businesses that have over 250 employees need to have a stand alone security officer, but this won’t apply to many in the property sector. There are some key principles that will apply to most businesses, which include:
- Being transparent about how you collect, store and use personal data
- Asking for consent from customers to store and use data
- Providing access to personal data when customers request it and deleting it when asked
- Informing customers of security breaches within 72 hours of discovering that they have taken place
Your Website & Software Used To Collect Data
Some of the key areas that property professionals need to examine include their website and any software that they use to manage customer relationships and information. These will need proper data protection to prevent breaches and keep people’s personal data secure. Businesses will need to keep track of who has access to certain data and how they have that access too. One particular way that a property company might need to change how they operate is when they ask for information from a tenant, a landlord or someone else. If they need to fill out a form to provide some of their information, it should include an explanation of why the information is needed and how it will be used. It will also need to request permission to store that data and to use it to send marketing communications.
These changes will mean that businesses in the property sector will need to be more careful about their handling of personal data. Every time it is collected, stored or used, it’s important to ensure that permission has been obtained. Transparency is key in all data handling, and businesses need to be prepared to respond to data requests as quickly as possible. Undertaking a data audit is the first step for many companies so that they know what steps they need to take to ensure GDPR compliance.
GDPR might not change what data companies in the property sector choose to collect. However, it will change how they manage it, and it gives customers more control over what they do with it. A company might continue to use customer email addresses to send out a monthly newsletter or other marketing communications, but they will need to ensure they have permission to do so.
There is one good thing to remember, and that’s that the fine of €20 million for noncompliance might not be as alarming as it sounds. While fines could reach that amount, lawyer Adam Rose suggests that it’s likely to be closer to €1 or €2 million for serious offenses – at least, at first.
Businesses in the property sector need to ensure they understand their responsibilities before 25 May if they don’t want to get caught out.