A three-part series that provides agents with information that cuts through the GDPR jargon. Part two is tomorrow, and part three will be on Friday.

Preparing your agency for the GDPR.

1. Your role and responsibilities.
2. Consumer rights, breaches and data principles.
3. Marketing processes.

PART ONE: Your role and responsibilities

To achieve GDPR compliance, there are a number of changes that you need to address in relation to your role and responsibilities. The first major change that you need to be aware of is that agents become data controllers under the GDPR.

As a data controller, you are solely responsible for determining the purposes and means by which the data you hold is used.

Any member of your business that uses customer or employee data is deemed a data controller. Therefore, one of the key things that requires your immediate attention is the implementation of a GDPR training and awareness programme for your staff.

If you are not required by law to have a dedicated Data Protection Officer (DPO), then it is recommended that you upskill a member of your team to oversee your GDPR compliance programme.

How seriously are you taking data protection at present?

You should review how your business currently runs in terms of data protection, and address such fundamental questions as: how do your staff members handle sensitive data in the office on a day-to-day basis?

Do they password protect documents when sending them to clients, or are they sent in a clear text format that can be easily intercepted by cyber hackers?

Do staff members understand what constitutes as a data breach, and do they know what the protocol is for reporting one? Have they completed a data protection training programme?

Evaluating and answering questions similar to these will demonstrate that your business is moving in the right direction in terms of GDPR compliance.

Are you confident in your third parties?

You should collate and review all of the third-party providers your business uses or passes data to, and find out if they are – or plan to be – GDPR compliant before the enforcement date.

If you are not happy with their response, then you will have to decide if you want to continue your relationship with them.

You should also enforce GDPR compliance as a condition within all of your commercial contracts, since a failure to ensure that your third-party providers adhere to the GDPR may result in financial penalties for your business.

Update your Privacy Policy

Most agents will have a Privacy Policy. However, the majority will have never read it. Your Privacy Policy is a legal document that explains how your business handles any customer, client, or employee information gathered in its operations.

You need to review your Privacy Policy as a matter of urgency.

Remember to factor in that your website developer may need suitable notice to schedule and implement any updates on your behalf.

Your Privacy Policy provides you with a clear, transparent and accessible way of demonstrating how you collect, handle, store and process data in an appropriate and trustworthy manner.

Within your Privacy Policy, you should look to include:

• What type of information your business intends to collect.
• Who is collecting it.
• How it is collected.
• How long your business intends to keep the information for and why.
• What lawful bases for processing you use and why.
• If you do – or intend to – share data with any third parties, and why you need or want to share it with them.
• Document all of your third parties and make it transparent for your customers to know who you work with.

To ensure your Privacy Policy meets the standards required by the GDPR, it is recommended that you schedule time with your legal team.

Richard Combellack is chief commercial officer at BriefYourMarket. https://www.briefyourmarket.com/

Disclaimer: BriefYourMarket.com is not a legal or regulatory body. This article is for informative purposes only. To understand your position in relation to the GDPR, please consult a/your legal advice organisation