Estate and letting agents are being urged to prepare for new data protection legislation coming into effect next year - but so far thought to be largely unheard of by the industry.
The General Data Protection Regulation or GDPR replaces the 1998 Data Protection law and comes into force in May 2018, applying to any organisation handling personal data.
The goal of the GDPR is to protect individuals and organisations against data breaches by ensuring there are no weak spots in data management open to exploitation by hackers or internal-organisation abuse. The law will apply across the EU and, because it comes into effect in only 10 months it will be unaffected by Brexit.
Now Kristina Russell of Kefron, a document and information management specialist, has told Estate Agent Today that agents across the industry should act urgently because of the significant volume of personal data held by companies and trade groups.
“This data is used in a number of ways which all need protecting - one example is CRM. As an industry that relies on CRM data for sales and marketing you need to be aware that GDPR means that you have to inform and seek permission from the ‘data subjects’” she says.
That means existing or prospective customers will have to give consent for the information to be held and use. “This then requires full training for those who process information in the CRM system to ensure the company is fully compliant.” says Russell.
“If you use agencies to assist with marketing and you pass on personal data to the agency you need to be aware that data processors will now be regulated under the GDPR. This agency will therefore be required to have an official written contract to ensure they are fully GDPR compliant or you face being in breach” she warns.
Back in February last year Estate Agent Today reported a warning given to the estate agency industry by the official data protection watchdog, the Information Commissioner’s Office, following a series of visits to estate and letting agents' offices.
The ICO’s observations at the time suggested that it was often the case that estate and letting agency staff had little formal training in data protection; that vendors, landlords and tenants were not being always told how their personal information would be used; that customer data was typically being kept for longer than necessary; that there was a lack of awareness about the importance of using technical security controls like encryption; and that paper records containing personal data were often not kept securely.
Russell says the new legislation coming in next May redefines so-called Personal Identifiable Information far beyond email addresses and telephone numbers to also include online identifiers such as IP address, cookies and tags are also - “meaning companies need to ensure that data is being protected across many levels” she cautions.
“The GDPR now also allows customers the ‘right to be forgotten’. This means that in the case of letting agents, once a contract ends the information should be purged unless needed for further processing. This information needs to be securely disposed of to avoid any data misuse.”
In the event that a company is found to have had processed data unlawfully, individuals whose details were involved will be able to seek monetary compensation under the GDPR law.
Companies that are not GDPR-ready by May will face a fine of up to four per cent of global annual turnover; if a breach takes place and the estate or letting agency does not inform the ICO within 72 hours it faces a two per cent of global annual turnover fine.
To put this into context, Russell says that currently the ICO can only fine companies a maximum of £500,000 however, this will drastically change under GDPR. The ICO’s total fines in 2016 were £880,500 and under GDPR it would be £69 million according to risk mitigation firm NCC group.
Russell adds that agencies seeking to prepare for the new legislation should undertake a number of tasks including:
- Creating a personal data inventory;
- Implementing appropriate privacy notices;
- Creating a personal data inventory;
- Obtaining appropriate consents;
- Using appropriate organisation and technical measures to ensure compliance with the data protection principles;
- Using Privacy Impact Assessments;
- Creating a breach reporting mechanism which can report any breaches within 72 hours;
- and more generally ensuring the agency is fully compliant by the start date of May 25 2018.