If the term GDPR is new to you, then you have a short window of opportunity to review your obligtions under GDPR rules as it comes into force in the UK at the end of May 2018. Likewise, if you were thinking it had nothing to do with you, then you may wish to get a second opinion, because the General Data Protection Regulation applies to all businesses and failure to comply can carry severe penalties and can even lead to a prison sentence. In short, If your organisation handles the personal data of anyone currently living in an EU country, then GDPR applies to you.
Understanding Personal Data
Personal data comes in various forms, with many assuming that it just means payment or financial data, however it means so much more. Basically it is anything which could be used to identify a customer, including basic contact details such as email addresses and phone numbers as well as data such as IP addresses, mobile device IDs, payment data and billing information. Personal data is defined as “any information relating to an identified or identifiable natural person” and includes both ‘direct’ and ‘indirect’ information; for example, a customer’s name is classed as ‘direct’ information but a brief description of their occupation or the industry they work in (without specifics) would be classed as ‘indirect’ information.
Transparency, Necessity, Consent and Accountability.
The full GDPR document is a very lengthy read but it essentially boils down to four, key issues:
Transparency – businesses must be clear about what data they are collecting and why.
Necessity – businesses should only ask for data when there is a clear and obvious need for it.
Consent – businesses should obtain clear and informed consent from data subjects.
Accountability – businesses will be held to account for any data breaches.
The reason necessity was listed before consent is because businesses may find themselves on very rocky ground if they rely on consent as a reason for collecting data. This is particularly likely if the data is collected as part of an employer/employee relationship, where the law is inclined to assume that the relationship is imbalanced and the employer is in the position of strength.
A clear and obvious necessity, supported by informed consent, would provide a much more robust defense in the event of any potential claim. In terms of property professionals and their customers, some businesses, such as lettings agencies, might find themselves being looked on as having a similar relationship with their customers as employers do with their employees.
Turning Theory into Practice
It’s probably fair to say that just about everyone involved in the property sector collects some level of personal data from customers, even if it is only their contact details. For many property property professionals and online estate agents, implementing GDPR may be as straightforward as making sure that all forms are “opt in” rather than “opt out” and that their data security processes are up-to-date and tested.
Some property professionals may, however, have to review their processes quite extensively to ensure that they are fully compliant with GDPR. The nature of the property market is such that those involved with it often routinely handle highly sensitive data (such as bank statements and personal identification documentation) and as such are targets for data thieves.
The penalties for falling foul of cyber theft are about to get a whole lot higher under GDPR, therefore it is absolutely vital that companies use the time left between now and the end of May to make sure that their processes and systems for handling such data are as robust as they can possibly be.