The General Data Protection Regulation legislation coming into effect in the UK on May 25 has undergone some subtle changes which will affect the property sector according to one of the industry’s leading law firms.
Adam Rose, a partner in the Mishcon de Reya law firm, has outlined the changes in a newsletter to clients, which may prove useful to Estate Agent Today readers.
Firstly, Rose says the definition of ‘personal data’ has been clarified by the authorities to suggest that it not only covers names, addresses and telephone numbers, but also IP addresses and other online identifiers.
“So if you provide free WIFI in your building, and collect the IP addresses of all users, this will be caught by the GDPR” he says.
Secondly, it was previously thought that GDPR particularly applied to ‘data controllers’ but it is now clear that ‘data processors’ are affected too - in other words, those individuals who process the data.
Rose writes: “So if a property manager is given the contact details of every person working or living in a building, or has the record of every person's entry and exit in the building, they will be caught by the GDPR.”
Thirdly, Mishcon draws upon additional information revealed by the UK’s data regulator, the Information Commissioner’s Office, concerning consent for the use of personal data.
Rose writes that it is a common misconception that businesses always need consent to process personal data. “In fact”, he says, “they can rely on one of probably three other lawful bases for processing personal data. Most importantly, they might have a legitimate interest in processing the data, which is not outweighed by the individual's data rights.”
He goes on to say that, for example, “an estate agent instructed to sell a property can process data relating to people looking to buy properties without expressly obtaining their consent. Indeed, to force them to consent to processing before agreeing to share property particulars with them might mean the consent was not freely given.”
He continues: “ Consent, however, is required for direct email and SMS marketing – unless a limited exemption applies. That limited exemption is where a business has collected personal contact details in the course of a sale of goods or services, it may send electronic marketing to that person for its same or similar goods or services. That is known as the 'soft opt-in’.”
Rose also says an additional myth surrounding the penalties related to GDPR need to be ‘busted’. This concerns the level of fines, which have been described as being as high as €20m.
“That is theoretically true but the ICO has tried - perhaps somewhat unsuccessfully given the myth continues – to dampen down that fear” says Rose, adding that following liaison with the Information Commissioner he would expect fines to reach £1m or £2m “for really serious breaches, but not to go beyond that for some time”.