GDPR: Two months and counting
“GDPR: I think it’s something to do with customer data and how many times we email people. Someone in our company will be on top of it.”
Sound familiar? If so, you wouldn’t be alone. GDPR is only two months away yet many property sector business owners still have no idea what GDPR really is, how it will affect them and what the implications might be.
The scope and implications about GDPR are enormous so here is a concise overview and some tips for getting your property business ready.
What actually is GDPR?
Put simply, the General Data Protections Regulation (GDPR) is a piece of legislation intended to protect the data of citizens within the European Union and provide them with a greater level of control over their personal data.
Broadly speaking, this means that your customers will have the right to access the data you hold about them. They can request you change or delete this information.
GDPR also covers how you have gained consent for acquiring people’s data and how it can be used.
As of 25 May 2018, heavy fines could be levied against any business which does not meet the guidelines set forth by GDPR.
What do you mean by ‘data’?
Names, photos, email addresses, IP addresses, bank details, dates of birth, mobile phone numbers and social media posts are just some of the forms of data which falls under GDPR.
So, what does this mean for property developers?
GDPR doesn’t just cover data controllers, but data processors too, which may have specific implications for property companies.
For example, if you have wi-fi in your buildings and collect IP addresses, this will be covered by GDPR. Likewise, property managers may have records of every person living or working in a building or a record of entry and exit, all of which is ‘data’.
Many developers selling properties build large databases to which they market their schemes. You will need to be clear on how this data has been acquired. ‘Data nudging’, such as pre-ticked consent boxes and double negative opt-outs will be a thing of the past post GDPR.
Rent payment systems, smart meters and property CCTV are other examples of data collections systems that will need attention. The list goes on.
How will customers challenge us?
From 25 May 2018, individuals will have the right to submit a Subject Access Request (SAR) to any organisation to find out what information they hold about them.
Your company or organisation will have one month to respond to an SAR with details of the information and, crucially, why you hold it.
Ten Top Tips:
- Don’t cover things up – you will need to inform the Information Commissioner’s Office (ICO) within 72 hours if you breach the new regulations
- Get ready to handle SARs – it is going to be a lot easier for people to think their privacy has been invaded and an increase in SARs looks inevitable
- Be clear on the reasons you hold customers’ data – for example, a customer may have given you permission to contact them about forthcoming property releases. Using the data to then push finance products, e.g mortgage offers may not be allowed
- Expect to be fined if non-compliant – fines for serious breaches can be as high as 20m euros or 4% of global turnover, whichever is greatest, or up to 10m euros or 20% of global turnover for less serious breaches
- Review your data policies and privacy notices wherever you gather data
- Share the details of your GDPR compliance with your staff, training them on the policies and procedures you put in place
- Consider appointing a data protection officer
- Make an inventory of all the data you hold, how it was obtained, where it is held and the reasons you hold it. If you can’t see a reason for holding data, securely remove it
- Ensure there is an explanation for customers on any forms you use explaining why you need the information and how it will be used
- Don’t put your head in the sand and hope it won’t affect you – help is at hand and it will definitely pay to be prepared
Putting to one side the stringent financial penalties for non-compliance, businesses should look on GDPR as a timely opportunity to review their internal practices when it comes to data protection and, if necessary, promote a cultural change in order to ensure the transition is as smooth as possible.
Your clients and contacts care about their privacy and the dissemination of their information and it is incumbent on you to ensure this privacy is respected.
If you need to talk about how to make your contracts GDPR compliant or the impact of GDPR on your organisation in general, please call me to arrange a meeting on 0161 672 1417.