Things are about to change in the world of data protection and it will affect everyone in the property industry. From landlords and letting agents through to sellers and tenants, everyone will be touched by the new regulations in one way or another.
The key questions will be obvious - "What is it?"; "What does it mean for me?"; "What do I need to do?" - but the answers will vary. That being said, we thought it would be a good idea to give you a brief overview of how the changes may affect you and give you a little information on what your next steps should be.
Let's start at the top, though, and have a quick look at what GDPR actually is first.
What is GDPR?
From the 25 May 2018, the General Data Protection Regulation (2016/679/EU, GDPR) (“GDPR”) will replace the Data Protection Act 1998 and has come into being after many years of toing and froing by the EU Parliament.
The reason for the update? Well, it can be difficult to remember how differently data was shared 20 years ago, but to say things have moved on would probably be the understatement of the century. Despite the Internet being in full swing back in 1998, no one could have envisioned just how freely data would be shared, nor would anyone have anticipated just how quickly the change would have happened.
Personal data is now big business and the EU wanted to introduce a way to put consumers back in control of their own information. Data has been exploited for many years now (some of the largest companies in the world have surfaced because of it) and those in power felt that legislation needed tightening before people's trust in the digital economy begins to wane. Recent forecasts state that the EU data economy will be worth somewhere in the region of £592 billion by 2020, so it's little wonder measures are being put in place to protect it.
Another reason for the introduction of GDPR is to clear the muddy waters many businesses find themselves in when it comes to data protection law. At present, what applies in one country may not apply in another and, with the world becoming ever more connected, the EU decided there was a need for greater clarity in the form of an identical data protection law throughout the single market.
When will GDPR come into force?
The Regulation was adopted on 27 April 2016 however, it becomes legally enforceable from the 25 May 2018.
Will Brexit affect GDPR?
Possibly is probably the best answer anyone can give at this point in time.
Despite leaving the EU, Article 50 wasn't triggered until March 2017, and the two-year timeframe means that the already agreed GDPR legislation will come into effect before the UK officially leaves.
The UK Government produced a new Data Protection Bill back in August last year that pretty much mirrors GDPR, thus clearing the way for Britain to have their own version that essentially does exactly the same thing as that brought in by the EU Parliament.
There are, however, some concerns that things could change in the future, especially when it comes to how the Government themselves handle data in the name of national security.
Only time will tell if our own version of GDPR will align perfectly with that of the EU, but for the time being all British businesses will need to adhere to the rules laid out by Brussels.
How will GDPR affect those in the property industry?
The introduction of GDPR will affect every business that gathers data - be they butchers, bakers, or candlestick makers - so those involved in the property industry will need to acquaint themselves with the new rules just as much as any other UK company who may collect and hold the personal data of their customers.
Failing to adhere to the new regulations can result in some pretty hefty fines (up to 4% of global annual turnover or €20m, whichever is the higher figure), so it's vital for all businesses to ensure that they are fully compliant when things change in May 2018.
A few key points include:
- Some companies who regularly collect data may need to appoint a Data Protection Officer to deal with the internal record keeping of their business.
- Customers will have greater control and can request confirmation over how their data is being processed and the reasons why.
- Equally, customers will have the right to request that all of their data is removed from your system and that future distribution ceases immediately.
- Both existing and new customers will need to give their consent to you in order for you to hold and use their data.
- Any data loss needs to be reported within 72 hours to a data protection authority.
- Marketing agencies used to promote your business will need to be fully compliant and an official written contract put in place.
- Personal data stretches to online identifiers such as those captured by websites, including cookies, IP addresses, and any other tags given to customers.
What steps do I need to take to be GDPR compliant?
The steps your business needs to take in order to be GDPR compliant will largely depend upon what data protection methods you have already employed. Some businesses will already be fully compliant, whereas others may be woefully lacking; it's all about weighing up where your company stands and taking the necessary action.
With this in mind, it's a good idea to go through a checklist to see just where your property business may need attention:
- Ensure that everyone who needs to know about the changes within your business is aware of GDPR and its implications.
- Run a complete audit of all the personal data your company holds, including where you obtained it and how it is shared.
- Review and refresh existing consents and put measures in place that will ensure GDPR compliance when collecting new data.
- Go over your current privacy notices and update them wherever necessary in order to achieve GDPR compliance.
- Review procedures and update them so your business is in line with the rights of your customers.
- Put plans in place that clearly state how you will respond to access requests from clients.
- Clearly outline why you are lawfully collecting data in your privacy notices.
- Outline exactly how you will detect and deal with any data breaches.
- Assign a member of staff to oversee your company's data protection compliance moving forward.
What does GDPR mean for tenants, buyers, sellers, etc?
Whether you're a letting agent, estate agent, or landlord, you'll obviously have customers to deal with and that means you'll be holding their personal data in one form or another, but what does GDPR mean for them?
The new regulations are all about giving customers back the right to control their data, which includes:
- The right to access - individuals can request access to their data and find out how it is being used.
- The right to be forgotten - individuals can request that all of their data be deleted.
- The right to data portability - individuals have the right to transfer their data easily between providers.
- The right to be informed - individuals have the right to know how their data is gathered and their consent must be freely given, not implied.
- The right to have information corrected - individuals have the right to update their data should it be deemed incorrect or out of date.
- The right to restrict processing - individuals can ask organisations to hold their data, but not use said data for processing.
- The right to object - individuals can request companies to stop using their personal data for direct marketing.
- The right to be notified - individuals have the right to notified of any data breach a company may incur within 72 hours.
GDPR: Final thoughts
In short, GDPR is designed to put individuals back in charge of their personal data, which is clearly a good thing.
Level playing fields for businesses in terms of legal transparency will also be welcomed across the board, but it remains to be seen just how vigorously the new legislation will be enforced and what the implications are for smaller businesses especially.
The key takeaway, however, is that showing compliance not only prevents the data police from busting down your door, it also shows your clients that you are a professional outfit with their best interests at heart.
Here at Petty Son and Prestwich, we are extremely proactive in such matters and would be only too happy to answer any questions our customers may have regarding their personal data, so feel free to get in touch.
As for GDPR and how it affects the wider property industry, we will certainly be keeping an eye on things moving forward, that's for sure.