Coming into force on May 25, the General Data Protection Regulation (GDPR) - which replaces the Data Protection Act 1998 - is something which all businesses are expected to comply with.
For a while, many estate and letting agents will have been working hard to prepare for the new rules.
To help you on your way, in association with The ValPal Network, we've assembled a panel of experts who will be answering a GDPR-related question each week.
If you have a question you'd like to ask our experts in a future edition of GDPR Weekly, please get in touch on firstname.lastname@example.org.
What is the right to erasure and the right to be informed? How will these measures affect agents?
Damon Bullimore, chief information officer at BriefYourMarket.com:
There are a number of fundamental customer rights that must be understood and enforced by all members of your business. Under GDPR, customers are given comprehensive rights that they can enforce in relation to the collection, use or storage of their personal data.
When these rights are exercised by the individual, they will have an impact on how you can collect, use or store their personal data, and you will need to put effective procedures in place to ensure that your business can adhere to these rights.
In specific relation to ‘the right to erasure’ (also know as ‘the right to be forgotten’), customers have the right to have their personal data erased if it is no longer needed for the original purpose of processing, or if the customer requests the deletion of their personal data.
However, there are some extenuating circumstances when your business can challenge and veto their request. For example, if you are required to hold onto their data for contractual necessity, or to comply with certain legal obligations.
‘The right to be informed’ encompasses your commitment to provide free, accessible, and unambiguous information that informs the customer what you are going to do with their data.
• What type of information your business collects.
• Who is collecting it.
• How it is collected.
• How your business intends to use the information.
• How long your business intends to keep the information.
• What the lawful basis is for processing information.
• All the third parties your business works with.
• If you intend to share the data with a third party and why you intend to do so.
Find out what the GDPR means for businesses, how it will affect your agency, and what you need to do to be compliant. Book your free place on one of our roadshows.
Sharon Tan, partner at Mishcon de Reya LLP:
With a renewed emphasis on transparency in the GDPR, the right to be informed encompasses the obligation for data controllers to provide ‘fair processing information’, typically through a privacy notice, to those whose personal data it holds. Organisations will need to provide specific information including the type of data it holds about the individual, the purposes for which it is used, the lawful basis for the processing and the individual's various rights under the GDPR.
The information must be provided in a 'concise, transparent, intelligible and easily accessible way'. The easiest way to do this is through a privacy notice provided at the time the data is collected.
Agents who have conducted their data audit will know the type of data and the reasons for holding it – this will provide the starting point for the privacy notice.
The right to erasure will be extended under the GDPR and means that an individual can ask to have their personal data erased in circumstances including where the data is no longer necessary, the individual withdraws consents (where consent has been relied on to process the data) or the individual objects to processing (and there is no overriding legitimate interest to process the data).
Again, agents who know their data and the reasons for processing it should not find it too challenging to respond to a request for erasure.
Annabel Kaye, managing director of KoffeeKlatch:
The ‘right to erasure’ is what is often called ‘the right to be forgotten’. A person can request their data is removed from your system. But it’s not an absolute right for the person to require their information to be deleted.
If you are holding information on the basis of consent, as soon as they withdraw their consent any further processing (except deletion as requested by them) is unlawful.
If you are holding information for some other reason (perhaps to support a contract between you and the person), then as long as it’s for the original purpose, you can legitimately keep the data. Individuals do not have the right to require you to forget that they owe you money!
The ‘right to be informed’ is the requirement to tell people what information you are collecting about them and what you are doing with it. This is a fundamental part of ‘fair processing’.
Have a clear, simple, transparent privacy notice that is easily accessible. You’re not entitled to keep secrets about how you intend to use other people’s personal data…it’s their personal data. Make sure you do not purchase ‘off the shelf’ unless it matches what you do and why.
*If you would like to receive further guidance from any of our GDPR experts, please click here.
Angels Media Ltd encourages you to seek additional guidance, including professional legal advice, to ensure that all of your business operations are ready for the GDPR.
Angels Media Ltd Legal Disclaimer:
The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
We would like to stress that there is no substitute for making your own detailed investigations or seeking your own legal advice if you are unsure about the implications of the GDPR on your businesses.
While we have made every effort to ensure that the information covered here is correct and up to date, we Angels Media Ltd makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.
Angels Media Ltd will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.