The General Data Protection Regulations (GDPR) will become law on May 25 this year, and will tighten up and increase the responsibilities on all businesses regarding their management and use of the data they hold.
As an estate agency business you will hold a large amount of data as “data controllers” on sellers, buyers, landlords, tenants, applicants for both sales and lettings.
Almost certainly, you will also hold a large amount of contact and other information on historic contacts – databases that you may have been “farming” for future business or keeping in contact with via electronic newsletters or similar.
Your data is probably held in a variety of guises and locations: CRM systems on networked desktops, laptops, tablets, smart phones; names, phone numbers and email addresses might also be in phone systems and mobile devices. It is possible that you use other database software for marketing purposes.
You will also have paper systems and archived filing. When one analyses and audits what you have, you will probably find it is quite extensive and widespread.
There are a number of key requirements in order to comply with GDPR:
One of these is to know what data you have and where it is held, and therefore an audit of your existing position is a key first step to complying.
GDPR places very strict requirements on business to provide the ability to consumers to have access or to have their data deleted. Obviously you can only do this if you know what you have and where it is!
You will also need a policy and process for dealing with such requests. You will also need to update existing privacy policies.
A general tenet of the GDPR is that data should only be held for the purpose that is was provided and for the length of time that is necessary to fulfil that purpose. Therefore businesses are required to comply with that approach.
It is also a requirement that consumers opt in to the provision of their data meaning that businesses cannot rely on consumers having to opt out.
An example is the use of online tick boxes to sign up for goods and services. These now need to be blank and not “pre filled” to show that a consumer took a positive step to sign up rather than simply forgetting to “opt out”
I would certainly be talking with my software providers to see what they have in place or are planning in order to help you comply. Some “joined up thinking” here will certainly help.
I would also, as a matter both of “farming” for new business and getting my data compliant, be undertaking a programme of speaking with everyone on my database and finishing the conversation by asking whether I can retain their data for specific future contact.
I would, ideally get this confirmed in black and white, but certainly be recording it in my CRM system.
Of course, there are many examples of where data needs to be held to comply with other legislation – anti money laundering compliance for example and clearly on-going client and customer relations.
The “legitimate interest” provision in the Regulations will apply in many instances and enable businesses to retain and use much data legitimately but getting more express consent is undoubtedly the way forward. Businesses should be using the coming weeks to contact their databases, clean up the information and get consent to retain it for the specific purposes you wish to use it for.
The new rules raise the requirements for security of data but you should already be meeting these. It does however become a requirement to report any breaches of data with significant potential fines for non-compliance.
There are various knock-on implications such as the passing of personal data to third parties such as contractors and those who act as “data processors”.
It would certainly be prudent to talk with your suppliers and ensure their processes are robust and to build required standards into any service level agreements, staff contracts of employment, terms of business etc.
There is currently a lot of noise surrounding GDPR and a plethora of companies offering (very expensive) audits of your business to help you comply. I actually believe most businesses will be able to cope with the changes internally but those changes certainly cannot be ignored.
They are not designed to stop you doing business but leaving your plans to the last minute could result in an inability to legally use data that you currently have and leave you open to falling short of requirements.
I am running some seminar sessions to explain requirements in more detail and offer some pragmatic approaches to compliance, including March 7 at Beaufort House in Chelsea.
Further information and booking details can be found here:
* Michael Day is managing director of consultancy Ingtegra Property Services. He has over 40 years in the property industry (he says he started when he was three!). He is a Chartered Surveyor and was the inaugural chairman of the RICS Residential Faculty. He is also a Fellow of the NAEA and has held partner and director positions at A C Frost, Prudential and Connells.
Great summary Mike
I would love to come along please
thank you
You must be logged in to like or dislike this comments.
Click to login
Don't have an account? Click here to register
Well said Mike. Only other observations:
1. How do you dispose of data. There have been ICO cases where paper records not shredded or destroyed, left about opens up issues
2. Also check your software CMS supplier AGREEMENTS. and are they sending your stored client and applicants details elsewhere?
Some CMS Agreements may state
(i) they have the right to take your data and pass it on to THEIR third party contacts
(ii) that any data they take from your system you must tell your buyers / sellers that
A N Other party (your software) may pass on.
If Joe Seller, or Bobby Buyer don’t know their data may be with XYZ services your software passed it on to. Some CRM agreements from softwares/portals may exempt that company and in their fine print throw their financial gain back in the agents responsibility
You must be logged in to like or dislike this comments.
Click to login
Don't have an account? Click here to register
After looking at many CRM license agreements recently, I would absolutely agree as in many cases, specific clauses were added to ensure the CRM company could use, pass data on and in some cases own the data.
GDPR clearly questions the legality of such methods as the client has not consented and the agent doesn’t know where all the data has gone. I suspect many companies may be reviewing CRM software right now as having two systems sales and property management just makes the problem worse as potentially the client is in two systems.
You must be logged in to like or dislike this comments.
Click to login
Don't have an account? Click here to register
Very good article Mike. GDPR is just as big an issue for recruitment agencies and for in-house recruitment teams within estate agency who are all busily trying to build databases of potential employees. Whilst it has already involved a huge amount of work for us (we have data stretching back over 30 years!) we’ve taken it as an opportunity to ‘get our house in order’ while cleaning up our database. Incidentally, you have been part of that process! I found you lurking in there as a Regional Director for Prudential Property Services from the late 80’s!!! You must have been about 12 😉
You must be logged in to like or dislike this comments.
Click to login
Don't have an account? Click here to register
Has anyone else tried to make a complaint to ICO?
You must be logged in to like or dislike this comments.
Click to login
Don't have an account? Click here to register
I assume they would be very similar to the ASA, in terms of compliance and enforcement
I can only imagine they are really interested (and have the manpower) in dealing with large scale breaches such as the UBER and TalkTalk breaches.
You must be logged in to like or dislike this comments.
Click to login
Don't have an account? Click here to register