The General Data Protection Regulations (GDPR) will become law on May 25 this year, and will tighten up and increase the responsibilities on all businesses regarding their management and use of the data they hold.
As an estate agency business you will hold a large amount of data as “data controllers” on sellers, buyers, landlords, tenants, applicants for both sales and lettings.
Almost certainly, you will also hold a large amount of contact and other information on historic contacts – databases that you may have been “farming” for future business or keeping in contact with via electronic newsletters or similar.
Your data is probably held in a variety of guises and locations: CRM systems on networked desktops, laptops, tablets, smart phones; names, phone numbers and email addresses might also be in phone systems and mobile devices. It is possible that you use other database software for marketing purposes.
You will also have paper systems and archived filing. When one analyses and audits what you have, you will probably find it is quite extensive and widespread.
There are a number of key requirements in order to comply with GDPR:
One of these is to know what data you have and where it is held, and therefore an audit of your existing position is a key first step to complying.
GDPR places very strict requirements on business to provide the ability to consumers to have access or to have their data deleted. Obviously you can only do this if you know what you have and where it is!
You will also need a policy and process for dealing with such requests. You will also need to update existing privacy policies.
A general tenet of the GDPR is that data should only be held for the purpose that is was provided and for the length of time that is necessary to fulfil that purpose. Therefore businesses are required to comply with that approach.
It is also a requirement that consumers opt in to the provision of their data meaning that businesses cannot rely on consumers having to opt out.
An example is the use of online tick boxes to sign up for goods and services. These now need to be blank and not “pre filled” to show that a consumer took a positive step to sign up rather than simply forgetting to “opt out”
I would certainly be talking with my software providers to see what they have in place or are planning in order to help you comply. Some “joined up thinking” here will certainly help.
I would also, as a matter both of “farming” for new business and getting my data compliant, be undertaking a programme of speaking with everyone on my database and finishing the conversation by asking whether I can retain their data for specific future contact.
I would, ideally get this confirmed in black and white, but certainly be recording it in my CRM system.
Of course, there are many examples of where data needs to be held to comply with other legislation – anti money laundering compliance for example and clearly on-going client and customer relations.
The “legitimate interest” provision in the Regulations will apply in many instances and enable businesses to retain and use much data legitimately but getting more express consent is undoubtedly the way forward. Businesses should be using the coming weeks to contact their databases, clean up the information and get consent to retain it for the specific purposes you wish to use it for.
The new rules raise the requirements for security of data but you should already be meeting these. It does however become a requirement to report any breaches of data with significant potential fines for non-compliance.
There are various knock-on implications such as the passing of personal data to third parties such as contractors and those who act as “data processors”.
It would certainly be prudent to talk with your suppliers and ensure their processes are robust and to build required standards into any service level agreements, staff contracts of employment, terms of business etc.
There is currently a lot of noise surrounding GDPR and a plethora of companies offering (very expensive) audits of your business to help you comply. I actually believe most businesses will be able to cope with the changes internally but those changes certainly cannot be ignored.
They are not designed to stop you doing business but leaving your plans to the last minute could result in an inability to legally use data that you currently have and leave you open to falling short of requirements.
I am running some seminar sessions to explain requirements in more detail and offer some pragmatic approaches to compliance, including March 7 at Beaufort House in Chelsea.
Further information and booking details can be found here:
* Michael Day is managing director of consultancy Ingtegra Property Services. He has over 40 years in the property industry (he says he started when he was three!). He is a Chartered Surveyor and was the inaugural chairman of the RICS Residential Faculty. He is also a Fellow of the NAEA and has held partner and director positions at A C Frost, Prudential and Connells.