Coming into force on May 25, the General Data Protection Regulation (GDPR) - which replaces the Data Protection Act 1998 - is something which all businesses are expected to comply with.
For a while, many estate and letting agents will have been working hard to prepare for the new rules.
To help you on your way, in association with The ValPal Network, we've assembled a panel of experts who will be answering a GDPR-related question each week.
If you have a question you'd like to ask our experts in a future edition of GDPR Weekly, please get in touch on email@example.com.
How can agents show evidence and documentation of a consumer's consent to direct marketing?
Bernard George, solicitor for Socrates Training Ltd:
First, do not assume you always need opt-in consent. If you have an existing client relationship, then you may still be able to rely the fact that you told them you would normally send them emails etc. and they did not opt-out. You do not generally need consent to send someone direct mail.
Otherwise you will need consent to send electronic marketing (emails, texts etc). So, you should now have amended your standard documents to get that consent from new clients and contacts.
Some firms are currently emailing their old contact lists to ask them to opt-in to future marketing. You need to complete this process before May 25.
Annemarie Proudfoot, head of customer relations at BestAgent:
This depends on how you obtain it. The most common way is when a visitor on your website submits their contact information for marketing purposes. For example, agents can include a tick box that the individual must check in order to submit their information, which consents to be contacted for marketing purposes. Always record that in your system and always provide an opt-out/unsubscribe option in your mailouts.
Another way is to get your applicant/vendor/landlord/tenant to confirm that your agency has permission to retain their details for anything other than contractual obligation in a written form (ideally email) that you can save within your system.
Annabel Kaye, managing director of KoffeeKlatch:
We don’t have final guidance on consent at the moment. But some principles are clear. It is the Data Controller’s job to demonstrate consent when relying on consent.
There is no prescribed method of doing so. You should keep the evidence of consent as long as you are processing data that relies on that consent. When you stop you should remove the information and the evidence of consent in line with your data retention policy.
You need to keep a record of how consent was obtained, when it was obtained, and the information that ‘data subject’ was given when they consented to the specific processing including how to exercise their rights.
There is no specific time limit for how long consent will last. It should be refreshed at appropriate intervals (and records of the new consent kept).
This means an audit trail that can be tied back to an individual show you can show when and how they consented. This will be specific and granular.
If relying on documents, a dated document needs to be kept, if relying on online records, a timestamp showing when they consented (and how) or if relying on oral consent (a conversation) a note of the time and date and consent, made at the time of the conversation. These should be kept with all the information on what the individual was told.
If consent is withdrawn at a later date you will need to keep a record of that.
Damon Bullimore, chief information officer at BriefYourMarket.com:
Before agents even begin to think about showing evidence for consent, they need to have a comprehensive understanding of lawful basis for processing, data principles, and customer rights.
The GDPR should not be approached in terms of separate entities. Yes, there are individual projects to fulfil in terms of achieving suitable compliancy, but all of the projects are intrinsically linked and have a direct influence on each other. I think this is one of the key things that many businesses approaching GDPR often forget. It needs to be viewed as a jigsaw; one that you cannot successfully complete if you have a piece missing.
If an agent decides that they would like to use consent as their lawful basis for processing, there are a number of ways that they can choose to approach their audit trail. However, their decision needs to be informed by the options that are available to them in terms of how they approach gaining consent.
For example, are they going to offer specific marketing preferences to their customers, or are they going to offer a simple ‘soft opt-in’ function that enables the customer to respond with a ‘yes’ or ‘no’ answer in terms of continuing to receive marketing communications? Has the agent evaluated where the process of gaining consent begins?
In terms of documenting evidence, agents need to evaluate how best to implement an effective and manageable audit trail. We offer our customers a dedicated preference engine that the agents’ clients can log into at any time and update their preferences. We then date and time-stamp any updates made by the client. Our audit trail is also client-facing, so they can see when they opted-in to receive specific marketing information. This approach provides security for both parties, as transparency is reflected between the business and their customers.
Ultimately, it is for the individual business to decide how they best approach showing evidence for consent, but it will be extremely difficult to service the rights of their consumers, in terms of restricting the processing of data, if they do not have suitable audit functionality in place.
Sharon Tan, partner at Mishcon de Reya LLP:
The general rule is that agents must have the recipient's specific consent before sending them any electronic direct marketing (email/SMS). Agents must not, in any circumstances, send marketing texts or emails to anyone who has specifically said they do not want to receive them.
If someone complains that they did not consent to receive your marketing messages, the ICO could take enforcement action, or the individual could even bring a court case. So it's important to keep an audit trail, demonstrating that you did obtain a valid consent.
Even though the rules around sending electronic direct marketing are contained in a separate piece of law (the Privacy and Electronic Communications Regulations) it is recommended that, in the run up to GDPR, people review their existing records of consents. If they are not GDPR-compliant, you should consider taking steps to refresh them and keep proper records of what you have done.
The GDPR team at Mishcon de Reya comprises data protection experts as well as non-lawyer cyber security specialists. If you would like any advice on how to manage GDPR within your organisation, please contact Sharon Tan.
*If you would like to receive further guidance from any of our GDPR experts, please click here.
Angels Media Ltd encourages you to seek additional guidance, including professional legal advice, to ensure that all of your business operations are ready for the GDPR.
Angels Media Ltd Legal Disclaimer:
The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
We would like to stress that there is no substitute for making your own detailed investigations or seeking your own legal advice if you are unsure about the implications of the GDPR on your businesses.
While we have made every effort to ensure that the information covered here is correct and up to date, we Angels Media Ltd makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.
Angels Media Ltd will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.