Coming into force on May 25, the General Data Protection Regulation (GDPR) - which replaces the Data Protection Act 1998 - is something which all businesses are expected to comply with.
For a while now, many estate and letting agents will have been working hard to prepare for the new rules.
To help you on your way, in association with The ValPal Network, we've assembled a panel of experts who will be answering a GDPR-related question each week.
If you have a question you'd like to ask our experts in a future edition of GDPR Weekly, please get in touch on firstname.lastname@example.org.
On with the first poser...
What should agents do first to help prepare for GDPR? Should you undertake an audit of your data?
Paul Offley, compliance officer for The Guild of Property Professionals and Fine and Country:
The objective of GDPR is to give the consumer the ‘control’ in relation to personal data they provide to an organisation; to understand what that organisation will do with the data and to provide consent in relation to ongoing communication.
This appears to be very complex and confusing – but it really is not as horrific as it sounds and your world is not going to end on May 25 – but you absolutely need to be prepared.
One of the first things you should do is understand what ‘personal data’ you currently collect from a consumer, and what you use it for. Remember, any data taken must be relevant for the purpose for which it is being obtained.
Think of all the customer types you have. Follow the ‘journey’ of that customer and what information you may take, and why you need it.
Your audit could look something like this:
Buyer: Contact details including name, address, mobile and email address and buying position: Used to process customer’s request for property information including viewings and subsequent transactions. Name and buying position provided to any seller should the applicant wish to view a property.
Buyers; Financial information; Used for information only when processing any offer made on a specific property. Specific information not shared with anyone without prior consent.
Sharon Tan, partner at Mishcon de Reya LLP:
It's strongly recommended that anyone who holds and processes personal data should do an audit of that data before GDPR comes into force. This is because it is only once you know your data that you are able to identify any gaps in compliance and the action you may need to take to get ready for GDPR.
An audit doesn’t have to be complicated, but you should conduct a thorough review of your systems and ascertain what personal data the business holds, where it is held, how it gets there and the reasons for holding it.
You need to map each type of personal data, which is likely to include data about buyers, sellers, landlords and tenants, as well as various intermediaries and, of course, staff.
If you find as part of your audit that some data is unnecessary or that it has been kept for too long then that data should be deleted.
Armed with your audit you will be in a much better position to implement the processes that are required to ensure GDPR compliance and reduce risk.
Bernard George, solicitor for Socrates Training Ltd:
First, don’t panic. If you are complying with the existing law, then preparing for the GDPR should not be a massive task. The big four steps are these:
1. Check your data security
Security breaches are the biggest risk. Do your IT systems have robust password protection? Do you remind staff about data security? Do you control people taking information and documents out of the office?
2. Review the information you hold
Your most sensitive data will probably be clients’ financial information and contact details, plus your firm’s own HR and business records. Check it is secure. Also check you have a legitimate justification for holding information about anyone. For example, you should delete information about unsuccessful job applicants a reasonable time after that process ended.
3. Update your approach to marketing
In future you will only be able to email out marketing material to people who have opted in to receive it. The old ‘opt-out’ approach will no longer work. So, you should already be asking new clients and contacts to sign an ‘opt-in’.
4. Train your staff
Everyone in your firm has to comply with their data protection obligations. You are liable if they do not. So good staff training is vital.
Annabel Kaye, managing director of KoffeeKlatch:
If you start thinking about data the way you would about money you can understand how it is you don’t just leave it lying around.
You need to know what personal information you are collecting, where you are keeping it, who has access to it, how secure it is, how you got it, and whether you can keep it without getting a new consent. There is no real way to do this without some form of audit.
Audit is a word we think of for accounts, but you can check what you have and how you got it and use it – whatever word you use for it.
You can get someone else to do it for you, get a team member to do it (if they are properly briefed) or do it yourself – depending on how big your agency is and what else you have going on.
A simple way to get started could be to use our free GDPR planner.
Damon Bullimore, chief information officer at BriefYourMarket.com:
It’s imperative that agents audit their existing databases before the GDPR is implemented. We suggest businesses look objectively at their existing customer data, and address such fundamental questions as:
• How was the data originally collected?
• What is the original source of the data?
• Was marketing consent obtained in an explicit and unambiguous format?
• Was consent date and time-stamped?
If your business cannot verify that your data was obtained using GDPR-compliant procedures, you will need to gain re-consent to send marketing communications to your existing database post-GDPR implementation.
Due to the fact that implied consent has been used by businesses for many years, it is highly likely that most existing databases will not comply with the GDPR.
So the sooner a business begins this vital process of gaining re-consent – and registering new clients in a GDPR-compliant manner – the more value can be extracted in the future.
Agents need to be attentive to the fact that they must also put processes in place that enable them to effectively service all GDPR-related customer requirements.
Auditing existing data should be done with a clear understanding of the comprehensive rights that customers are empowered with in relation to the GDPR. Once an existing database has been audited, businesses should ensure they have GDPR-compliant software in place.
Find out what the GDPR means for businesses, how it will affect your agency, and what you need to do to be compliant.
*If you would like to receive further guidance from any of our GDPR experts, please click here.
Angels Media Ltd encourages you to seek additional guidance, including professional legal advice, to ensure that all of your business operations are ready for the GDPR.
Angels Media Ltd Legal Disclaimer:
The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
We would like to stress that there is no substitute for making your own detailed investigations or seeking your own legal advice if you are unsure about the implications of the GDPR on your businesses.
While we have made every effort to ensure that the information covered here is correct and up to date, we Angels Media Ltd makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.
Angels Media Ltd will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.