Coming into force on May 25, the General Data Protection Regulation (GDPR) - which replaces the Data Protection Act 1998 - is something which all businesses are expected to comply with.
With just ten days until the new system is formally introduced, agents will have been working hard to prepare for the GDPR.
To help you on your way, in association with The ValPal Network, we've assembled a panel of experts who answer a key GDPR-related question each week.
If you have a question you'd like to ask our experts, please get in touch on firstname.lastname@example.org.
When taking customers' contact details over the phone and subsequently adding them to a database, do agents need to mention GDPR and gain consent?
Damon Bullimore, chief information officer at BriefYourMarket.com:
Obtaining registration details over the phone will require agents to discuss consent if they are using it as a lawful basis for processing data.
Also, if any third-party organisations will rely on the consent, they will have to make the contact aware of this.
In line with the Information Commissioner’s Office guidance, agents should offer consent options in a granular format, and inform the contact that they can opt-out from receiving communications from their business at any time.
Agents might consider using a script when obtaining consent, as this would ensure that consent is captured correctly at the point of registration by all staff members. Further to this, due to the nature of recording verbal consent, agents might also consider using an email service provider to send a follow-up communication that confirms registration, as this would enable them to reinforce what was discussed at the time and demonstrate transparency.
To find out more about our GDPR-compliant marketing platform for property professionals, book your free consultation here.
Annemarie Proudfoot, head of customer relations at BestAgent:
Customers need to be informed of their rights under the GDPR, so while agents don’t need to necessarily mention it by name, in explaining their rights this will likely come about.
If the agent wants to be able to pass along the customer’s information, they must gain consent to do so. If the customer is providing the agent their details for marketing purposes or property search purposes, the agent should notate this purpose.
All future communications (especially for marketing) must have the ability to opt-out and/or change subscription settings.
Jon Baines, data protection advisor at Mishcon de Reya LLP:
One of the fundamental principles of data protection law (of which GDPR is the latest evolution) is transparency – letting people know who you are, and what you're going to be doing with the data you collect about them.
So, when agents take customers' details over the phone, for whatever reason, they should be fully open about why they are doing so and for what purposes.
There is nothing in the law that says they must expressly mention GDPR, but it would make total sense to do so – as long as they can do so in a way that doesn't bamboozle the caller with technical details.
It might be an idea to have a short script and to document afterwards that the wording was given to the customer. None of this needs to be too lengthy or onerous, though.
As to whether consent is needed, that will depend upon the purposes for which the data is gathered.
In general, consent will not be needed if someone is simply enquiring regarding a property and the agent is recording their details specifically regarding that enquiry. However, if the intention is subsequently to send the person direct marketing by electronic means (broadly, email or SMS), then consent will normally be needed.
The GDPR team at Mishcon de Reya comprises data protection experts as well as non-lawyer cyber security specialists. If you would like any advice on how to manage GDPR within your organisation, please contact Jon Baines.
Bernard George, solicitor for Socrates Training Ltd:
In the vast majority of cases it is not necessary to mention the GDPR as it’s obvious what you’ll be doing. After all, people only give you their information so you can use it.
The question is, are you planning to do anything with the information people might not expect or be happy about? For example, if you want to engage in electronic marketing or to share the information with unexpected third parties, you would need to mention it.
You need to give clients a chance to opt out of electronic marketing. For non-clients, you need a positive opt in.
It helps if you have a ‘privacy notice’ on your website, and in your terms of business, which explains how you handle data.
That is normally just an exercise in spelling out the blindingly obvious, but it can demonstrate that you were open about what you would do.
*If you would like to receive further guidance from any of our GDPR experts, please click here.
Angels Media Ltd encourages you to seek additional guidance, including professional legal advice, to ensure that all of your business operations are ready for the GDPR.
Angels Media Ltd Legal Disclaimer:
The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
We would like to stress that there is no substitute for making your own detailed investigations or seeking your own legal advice if you are unsure about the implications of the GDPR on your businesses.
While we have made every effort to ensure that the information covered here is correct and up to date, we Angels Media Ltd makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.
Angels Media Ltd will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.