An IT firm says small and medium-sized estate agencies without the infrastructure of large corporates are putting themselves and their customers at risk by failing to implement adequate data protection strategies.
Dragon Information Systems says polling by YouGov suggests that only 35 per cent of smaller businesses generally have a basic data protection policy, and those working in estate agency are specified as being among the least likely to have cyber security measures in place.
The General Data Protection Regulation or GDPR which came into effect last year replacing the 1998 Data Protection Act was seen as particularly challenging to some agencies because of the volume of personal data on vendors, buyers, landlords and tenants that would have to be protected.
“GDPR came into force a year ago and with it came the risk of substantial financial penalties for businesses whose systems are not up to scratch. We are now starting to see the first fines being dished out and this should act as a wake-up call for any estate agencies who have yet to take action” says a spokesman for Dragon.
He says separate research - the Cyber Security Breaches Survey, released earlier this year - could that 32 per cent of businesses had since the introduction of GDPR identified data breaches or attacks.
The most common were phishing emails (80 per cent), others impersonating the organisation online (28 per cent), and viruses or other malware, including ransomware (27 per cent).
“Our advice is to treat data protection as you would any other legal requirement. For example, you are required by law to take copies of passports and other important identification for money laundering purposes. You can’t make a sale without them.
How you store and manage that data – which would be highly prized on the dark web as it is an easy route to identity fraud – is just as important an obligation” says the spokesman.
The firm has offered a series of tips for agents who believe their processes may need improvement:
Know what data you’re holding: You need to understand what personal data you hold and collect, how you are acquiring it, how you are storing it and who has access to it. You need to have a ‘legal basis’ (an acceptable reason as described under GDPR) for having the data, and you should only be keeping hold of it for as long as you need to;
Update your processes: How are you protecting the data you hold, including against cyberattacks? Things to consider here include the types of devices being used by team members (such as laptops and mobile phones), servers, back-ups and how/where they are stored, encryption, password policies, antivirus software and how you manage people leaving the company;
Think about consent: One of the biggest changes under GDPR is that individuals have more rights when it comes to their data. You must only use data for the purpose it has been provided and must be able to prove that explicit consent if questioned. So, if you have an enquiry about a house you are selling, you cannot automatically add that person’s details to your mailing list, without their consent. There’s no using automatic opt-ins or pre-ticked boxes either;
Introduce regular training: Have data protection training form part of the induction for all new starters and ensure it is repeated and updated yearly for all team members;
Get help: If you are at all unsure about any of the issues raised here and how best to manage them, then the safest course of action is to seek the support of a reputable organisation, who can help you ensure you are fully compliant and have everything covered. You will also find lots of helpful information on the ICO website.