As of May 25th 2018, the EU began enforcing the GDPR (General Data Protection Regulation). The GDPR will strengthen the security and protection of the personal data of EU residents. If you’re in the property sector, here’s what you need to know.
So why should I care about GDPR?
Running a business in the property sector, be it as an estate agent, surveyor or developer entails dealing with a lot of personal data. To successfully run your business in the current market you simply need to collect, use and store personal data (names, emails, contact details, etc). It’s the nature of the business.
Businesses that fail to comply can face fines up to €20 Million or 4% of annual revenue, whichever is higher.
GDPR is aimed at allowing citizens their right to digital privacy. There is a major push towards strengthening transparency, consent, and security. If you haven’t already done so, you must review the way you handle and store the personal data of your customers and leads, and potentially make some big changes to the way they go about your business.
If your company fails to properly handle how personal data is collected, used and stored, you could face fines up to €20 Million, or 4% of annual revenue, whichever is higher. This is serious stuff.
What do I need to do?
This is not a ‘3 steps to GDPR compliance’ blog (it’s not a 3 step process!). Take the time, to study the official GDPR document. I know it’s long and complex, so here are some of the highlights from a property perspective:
Can I send personalised letters to owners?
Everyone asks this question so I thought I’d address it explicitly. Yes you can, but you must be very clear on what grounds you are sending those letters and conduct appropriate assessments. Since it is near impossible to get consent in these situations, you must have other legal grounding for storing and processing their personal information.
Yes, you can send letters to property owners, but you must be very clear of your legal grounds to do so.
Having a legitimate business interest is a reasonable ground for letter sending but you must do an assessment of the recipients rights. You must also give them an option to opt out, and respect their rights if they complain. For example, add an email address at the end of your letter and explain that people can write to you about opting out.
How do I improve transparency?
A lot (and I mean a lot!) of GDPR is about transparency and communication. You should know and be able to show exactly how you use, store and manage personal data. If you don’t know what data you are storing and whether or not it is protected, you should undertake a data audit. You should then explain to your clients exactly how you deal with their personal data and what steps you have taken to improve your processes.
You should also make sure that all third party applications, CRM systems and software you use are GDPR compliant. Contact them in order to find out whether they have taken the necessary steps, if they haven’t you should consider dropping them. If you are a LandInsight user you can be confident of our GDPR compliance, we have taken extensive measures to go beyond the GDPR minimum requirements.
How do I properly acquire consent?
You must get genuine client consent before sending marketing material.You can’t have pre-checked ‘opt in to marketing’ tick boxes in your contact forms on your websites or landing pages. People need to explicitly opt in to receiving marketing material from you. Update your contact forms with an empty checkbox corresponding to a description of exactly what you intend to send them. For eg. company news, blog digests, rewards, etc. Make sure you (your CRM software) have a record of the consent you have acquired. You must review and refresh existing consents by the new standards as well.
People need to explicitly opt in to receiving marketing material from you. No more pre-checked opt-in boxes.
This might be a chance to review your communications and marketing strategy. At LandInsight we focus on producing timely, valuable content. To view our available selection of newsletters, click here.
If you are an estate agent, at the end of your application forms that demand personal information from tenants, landlords, etc you must explain why you require this data and how it will be stored and for how long. Note that GDPR does not exclusively apply to the digital domain, even physical data/ forms/ processes must comply.
GDPR does not exclusively apply to the digital domain, even physical data/ forms/ processes must comply
What do I need to do to improve security?
You must have a secure website. If your site has a form on a landing page that a potential tenant could fill out to register for alerts, or if you have live chat support your website needs to be GDPR compliant. If your website deals with the transfer of any personally identifiable data, it will need to have an SSL certificate (https). To learn more about the SSL certificate click here.
You must also have a breach response plan. If you do have a data breach wherein you lose customer information you will need to notify the authorities within 72 hours. You may also have to inform the people whose data has been compromised about the breach without undue delay.
How LandInsight handles GDPR
LandInsight is a cloud based application that helps people find and assess development opportunities. To learn about our product, click here. We recognise the importance of user data privacy and security.
We hold our systems and processes to a standard far beyond the rest of the industry.
NOTE: This article isn't exhaustive. It doesn't constitute legal advice for ensuring compliance with the GDPR and is intended purely to get people in property thinking about GDPR.
Hemant is an industry analyst and content creator at LandInsight. As LandInsight's resident wordsmith, he authors blogs, industry reports, and case studies. Prior to PropTech, Hemant worked in the asset management sector. Surprisingly, he doesn’t like Monopoly.