The General Data Protection Regulation (GDPR) is due to come into law in the UK on 25th May 2018.
Here we take a quick look at how the property industry in particular will be affected and I give my top five tips on how to comply with GDPR for those operating in the sector.
As a property professional you will almost certainly be dealing with personal data, such as that relating to rents, payments, energy usage, security, property occupancy and contracts, in addition to personal data held on marketing databases and that relating to your staff members. As such, Estate Agents, Lettings Agents, Property Management companies, Surveyors and alike must be aware that they are operating in a ‘high risk’ sector. However, despite the inherent GDPR risks facing property professionals, research has shown that the industry lags behind other sectors when it comes to understanding and preparing for the GDPR. Indeed, 98% of property professionals operate a website and therefore must be aware that they will need to implement additional data protection safeguards, including new privacy notices, cookie policies and data breach protocols.
Top five tips on how Property Professionals should be preparing for the GDPR
- First things first – before you can safeguard yourself against the huge fines that will accompany the introduction of the GDPR, you need to understand what data you hold, where you hold it, why you hold it, how you hold it and who has access to it. This is done by way of a ‘data audit’.
- Physical security just as important as cyber security – in this day and age much of the focus is on cyber, not physical, security, none more so than when discussing the GDPR. Although I would recommend that cyber security systems be reviewed and any weaknesses identified and remedied, property professionals must remember that personal data is not just electronic. As such, you should ensure that offices are physically secure and that any paperwork is locked away. Do not leave customer lists or other personal data out overnight – such behaviour can just as easily equate to a data breach as that involving computer systems.
- CRM systems and consent – the property industry relies upon CRM data for sales and marketing purposes and therefore you will need to be aware that the GDPR requires you to inform and seek permission from current or prospective customers for their data to be held on file. Staff will also need to be GDPR complaint, including in the way in which they process personal data in any CRM system.
- Remove personal identifiers – change both electronic and physical filing systems so that reference numbers are used, thereby ensuring that details of a customers’ sale/purchase/let are only identifiable via a unique number, rather than their name. Such a practice should also extend to any email or postal correspondence too.
- Share the risk – moving computer systems from a physical on-site server to a cloud-based system has many benefits, not least that it shares the burden of GDPR compliance with the cloud provider itself, thereby limiting your liability in the event of a data breach. Such a move is also likely to improve your data security, with data centres always more secure than anything a property professional can achieve within a local network. Nonetheless, I would advise that property professionals, both those that currently use a cloud-based systems and those that are thinking of moving to one, ensure that they obtain assurances from any provider that their cloud systems are GDPR complaint. It would also be wise to enlist the help of a provider whose data centre in based within the EU.
If you are a property professional looking for legal advice or support on GDPR or any area effecting your property business, please do not hesitate to contact Lloyd Clarke on 01206 239761 for a no-obligation consultation.