Coming into force on May 25, the General Data Protection Regulation (GDPR) - which replaces the Data Protection Act 1998 - is something which all businesses are expected to comply with.
For a while now, many estate and letting agents will have been working hard to prepare for the new rules.
To help you on your way, in association with The ValPal Network, we've assembled a panel of experts who will be answering a GDPR-related question each week.
Should you be employing someone to make sure you are compliant with GDPR?
Annabel Kaye, managing director of KoffeeKlatch:
If you are carrying out large scale systematic monitoring of individuals (e.g. online behaviour tracking) you will need to appoint a Data Processing Officer.
Your data audit should let you know whether you are tracking online behaviour (cookies, etc.) and what scale you are doing this on. Most online agencies would be doing this.
No-one has given a number of transactions that constitute ‘large scale’ but the guidance notes from the European working party clearly do not envisage family businesses with a local client base as being covered by this requirement.
If you run a national or regional chain, you may well be covered.
Should you get some help?
Regardless of the threshold, you will need someone who has sufficient authority and knowledge to look at how you handle data and ensure compliance. You could give this job to a suitably senior and knowledgeable employee – or outsource it.
Some support services cost thousands of pounds. A lot will depend on the scale of your business and your ability to pay.
In the end you have to balance the time and effort of doing the work internally against the costs of external support. Smaller agencies may have to ‘go it alone’ or work with budget level support.
Sharon Tan, partner at Mishcon de Reya LLP:
Most agents will not be required to appoint a Data Protection Officer. However, you should ensure that your business has sufficient staff and skills to discharge its GDPR obligations.
While employing someone specifically to deal with GDPR may not be necessary in most cases, it is nevertheless a good idea to allocate the role of data protection lead to a member of staff, ensuring that they are given sufficient time and resources to take on responsibility for GDPR.
How much time they will require to spend on their data protection responsibilities will depend on the amount of personal data the business holds and the efficiency of its systems. You will also need to make sure that the appointee is given adequate training to undertake the role.
The individual should be relatively senior and/or report to a senior member of the team.
As a business, the buck still stops with you, but having clearly allocated and defined responsibilities for GDPR will help not only with complying with GDPR but with demonstrating compliance too.
Paul Offley, compliance officer for The Guild of Property Professionals and Fine and Country:
This is really difficult question to answer because it depends on the size of your organisation and the size of your database.
For example, a firm with 70,000 people on its database is going to have more work on its hands than a firm with 1,000 and what resources you have available.
The Information Commissioner’s Office (ICO) has produced some excellent information to help firms prepare for GDPR.
Follow the ICO’s 12-point plan; have a plan for your business; allocate tasks; review on a weekly basis to ensure everything on track.
As far as I see it, the biggest challenge is obtaining consent and this is the one that is going to take take the most time.
My first port of call would be your system provider. As part of GDPR, are they able to support their users in obtaining consent?
However, if you have exhausted all other options you may be left with obtaining consent yourselves. If you have a large database then that is going to take some planning and organisation, but the sooner you start, the better.
Damon Bullimore, chief information officer at BriefYourMarket.com:
It is advised that agents undertake a detailed review as to whether they will need to appoint a dedicated Data Protection Officer (DPO) within their organisation.
There are some instances when a dedicated DPO will need to be appointed. These include when the business is a public authority, when the organisation in question carries out systematic monitoring of individuals, or when they are storing or processing large amounts of personal information on a regular basis.
The ICO does not explicitly state that there is a requirement to appoint a dedicated DPO. However, some reports have stated that a business must appoint a DPO if their organisation has over 250 employees.
Agents can appoint a current member of their organisation to carry out and enforce key GDPR and data protection laws.
Therefore, it is recommended that you upskill someone within your organisation to carry out these obligations, as this will help to ensure that you are carrying out due diligence in relation to data protection laws at all times.
Find out what the GDPR means for businesses, how it will affect your agency, and what you need to do to be compliant.
*If you would like to receive further guidance from any of our GDPR experts, please click here.
Angels Media Ltd encourages you to seek additional guidance, including professional legal advice, to ensure that all of your business operations are ready for the GDPR.
Angels Media Ltd Legal Disclaimer:
The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
We would like to stress that there is no substitute for making your own detailed investigations or seeking your own legal advice if you are unsure about the implications of the GDPR on your businesses.
While we have made every effort to ensure that the information covered here is correct and up to date, we Angels Media Ltd makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.
Angels Media Ltd will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.