The Paul Smith column: Are agents sleepwalking into a data protection nightmare where customers turn you in?

If you’re unsure what the General Data Protection Regulation (GDPR) means for your business when it is enforced on May 28, then you have a wake-up call in store.

A very real danger is that savvy members of the public who may once have had some kind of dealings with you will ‘dob’ you in for breaking the rules.

You may want to invite a GDPR consultancy into your business, as we have done.

We’ve been working with a team from Xcina Consulting, looking at all the different touchpoints that we have with our customers. I’ve written previously about how valuable every estate agents’ database is, but if you can’t contact people on that database because you don’t have permission, what value is it then?

As a starting point, if you already have permission to contact your customers for marketing purposes, you won’t need to ask for their consent again, as long as you have made them explicitly aware as to why you wish to keep in touch.

There are eight key principles under the Data Protection Act (DPA) 1998 which will remain, relating to the use and retention of personal data.

However, the GDPR takes these principles even further in a digital world where it is now much easier to transfer data between businesses. This means it is even more important to be open and transparent about how you use personal data, ensuring you have an agreement in place about the reason the data is going to be used, for every service that is being offered.

So if you have people on your database that haven’t given you consent to market to them, you won’t be able to email, phone or write to them – or you will be breaking the law and risk being fined by the Information Commissioners Office (ICO) up to 4% of global annual turnover or £17m, whichever is greater.

What, then, if you want to contact someone who bought or sold through you years ago to tell them someone is looking to buy in their street or is interested in their property (not that you should still be holding this data)?

You will have to treat them as an anonymous customer and go back to door knocking or writing to them as the householder. Also, unless you have a specific reason or consent to keep data of the person who bought or sold through you years ago you will also be breaking the law as you are holding their information for longer than you need to.

How about having information about property sale prices and telling people you have just sold in their area and giving details? Again, you won’t be able to inform people in that vicinity – unless you have their explicit consent that they are happy to receive such information.

What if people come into your branch to say they are interested in a property but don’t go through with the transaction? You may have their details on file to keep them informed about properties they may like. However, if you don’t have their explicit consent to contact them for marketing purposes for other services, you will be breaking the rules.

Because you need to keep an audit trail proving the date and time that people confirmed their consent, you then need to ensure you store these records accurately and securely.

In some cases, this may mean keeping telephone records – and we’ve been advised to follow up with an email or letter to say that as a result of our phone call, we believe you have consented to receive further information, giving people the opportunity to remove that consent.

With these new systems and procedures, there is an inevitable cost that goes with implementation, staff training and the storage of records, including records of phone calls, so we can prove when consent was given.

Of course these new rules are designed to protect the rights and freedoms of customers’ and protect their personal information – and that’s incredibly important, especially in the light of cyber-attacks, data stolen by disgruntled employees, and the selling of personal data to other organisations.

But I can’t help but wonder whether these regulations were originally designed for the likes of Google, Apple and Facebook and not for the small businesses whose livelihoods are going to be impacted in far greater ways than they realise.

In my opinion it’s like using a sledgehammer to crack a nut, using disproportionate force to overcome a problem. I can’t understand why politicians didn’t intervene to ensure that a more balanced view was taken and that the rules were designed more carefully around the needs of today’s businesses. Presumably even the milkman will need to ask to keep your data on file?

A whole new industry has sprung up around GDPR, just like it did around the Millennium bug, and savvy customers will hold businesses to ransom, threatening to tell the authorities that you haven’t obtained their consent. Be warned.

For example, we’ve undertaken some interesting research into how long it takes people to make up their mind when it comes to moving – and the average selling time frame is 14 to 17 months. Fewer than 5% are ready to sell within 60 days from their initial enquiry.

Most agents usually follow up after 30 days – but how many keep the relationship going over the ensuing months? Nearly all marketing is front end customer acquisition but it drops off due to lack of engagement.

This reinforces the importance of good CRM and GDPR systems – and agents need to realise they can no longer be new business junkies but need to play the long game in order to build a relationship that will reap rewards in the long run.

x

Email the story to a friend

22 Comments

  1. AgencyInsider

    It is EU legislation. Aren’t we leaving the EU?

    Report
    1. P-Daddy

      In an online world, these types of legislation are there to protect across all borders…eventhough some won’t be policed as robustly as others. And of course, we seem to be signing up to every demand made by the EU, so we will still be covered. Independence in a global community is not what it says on the tin.

      Paul has made some very good points in his article and gives a pit face view.

      Report
    2. GN19

      The legislation applies to data for all EU citizens, so unless you can guarantee that you will never have an EU citizen contact you it applies.

      Report
      1. AgencyInsider

        EU to Donald Trump: One of your U.S. Companies has breached our GDPR rules and we are going to massively fine them.

        Trump to EU: F-off.

        EU to Donald Trump: Oh. OK.

         

         

        Report
        1. mattstephens38

          nope pretty sure the EU will say either you have to pay the fine or you cannot operate in the EU

          Report
  2. AgentV

    If you have a databank of say 8,000 registered applicants built up over the years from telephone calls, registrations, rightmove leads etc. and your CRM software automatically emails them once a week with your new listings, what do you do?

    If you simply do not have the resources to contact these people, especially at the busiest time of year, what then? Even though on every email they have had the ability to deregister if they wanted, presumably that doesn’t count?

    Does anyone have a similar problem and any suggested solutions?

    Ros, what about a major article on this where providers can offer their solutions?

     

    Report
  3. Robert May

    “Does anyone have any suggested solutions?”  Closed question…. yes

     

    Report
  4. localagent735

    ”How about having information about property sale prices and telling people you have just sold in their area and giving details? Again, you won’t be able to inform people in that vicinity”

    but why can you not tell people sale prices? They are all advertised on public domain like Zoopla???

    Report
    1. Peter

      You can, just don’t put their name and address of the recipient on the letter unless you have their permission to send via this media.

      Report
  5. BIGEEB46

    Paul, many agents databases are held by a third party, in my case ExpertAgent. I have a database that has been accumulated over many years and even if we “de-activate” a consumer, their information is still there. I’ve asked ExpertAgent what steps they are taking to resolve the issue of “obtaining consent” as clearly the task to contact 8.000 odd “consumers” and the likelihood of any decent number of them responding with “yes, you can keep my info” is highly unlikely if their need is not current. Yet, as we all know, this information being held is key to being able to provide the quality of service we offer.. it’s almost like saying although I know the person who lives at X address, I can’t acknowledge that info unless I have his/her consent and can prove it!

    What we all need is some sensible industry specific guidance on this from those who have no doubt been close to the subject, and when I say “specific” I mean it… not the generalisation that has been offered up from DP specialists that haven’t a clue about our industry.

    Report
    1. AgentV

      Exactly……many of these people have been quite happily receiving weekly emails from us for years, without a problem. Problem is they only have a short time to respond to any requests we make……and we all know what the likely response rate is going to be.

      What about rightmove’s database? The same will be true of their email alerts system surely? I bet there are people that have been on that for many years as well.

      So as I understand it, many organisations in this country are going to be bombarding everyone for express permission to contact them in future……it is going to be mayhem. Or else all those organisations are going to have to delete their databases….yeah right….like that is going to happen!

      I suspect the whole ICO organisation is going be doing nothing else for the next 10 years other than chasing and prosecuting people.

      Report
  6. Mark Walker

    What if your CRM contract says that the provider can aggregate your customers’ details for their own ends…  Uh oh.

    Report
  7. Property Paddy

    easy if no response or reply to messages and emails then remove from database, 3 to 6 months life span max.

    Report
  8. jeremy1960

    Nothing to stop agents emailing everyone on their database now asking the database to reply as to whether they want to remain on the list for marketing purposes etc. Suggest doing that 3 or 4 times between now and say end of March, monitor the latter responses and delete all records of those that do not reply. That done the smaller list can then be contacted advising what information is held, why it is held what it may be used for and who it may be shared with, those on the list need to “opt in” rather than “opt out” so after the final mail out before “d-day” agents need to ensure that anyone who has not responded is removed. Any future enquiries must be advised as to what info held and why and must give consent, easy answer is to email out to each applicant/landlord/vendor after the conversation confirming that they have given consent to receive details etc and how info will be used, anyone that does not respond should be deleted.

    Report
  9. cyberduck46

    What about where an agent has shared your information with another branch and you’ve emailed them to stop suggesting properties but they haven’t stopped.

     

    Can they get fined 4% of global turnover?

     

     

    Report
    1. jeremy1960

      As I understand it the person/organisation taking the original information would be culpable so they need to advise that client who their information has been shared with and why. The client must then be given details as to how their information can be removed from any database.

       

      Report
  10. Thomas Flowers

    As LPE’s are self -employed this is a serious issue for PB, particularly if one leaves and is replaced by someone else?

    With most tradition estate agents the onus is on the firm as they employ their staff, not vice versa?

    Would this scenario require the new LPE to re-establish GDPR, referral, contract and ML regulations or face non-compliance judgements as well as a 4% fine of global turnover including Oz and USA?

     

    Report
  11. J1

    Or in regard to the mailing list (good old fashioned name for an applicants register or CRM) you could do what some of the corporates do and tell your staff to just keep an eye on Rightmove !!!!

    Where does it leave the portals who have millions of records, that they have possibly been selling into data farms over the years??

    Report
  12. AgentV

    Many of our contacts have been quite happily receiving weekly emails from us for years, without a problem. Problem is they only have a short time to respond to any requests we make……and we all know what the likely response rate is going to be.

    What about rightmove’s database? The same will be true of their email alerts system surely? I bet there are people that have been on that for many years as well.

    So as I understand it, many organisations in this country are going to be bombarding everyone for express permission to contact them in future……it is going to be mayhem. Or else all those organisations are going to have to delete their databases….yeah right….like that is going to happen!

    I suspect the whole ICO organisation is going be doing nothing else for the next 10 years other than chasing and prosecuting people!

    Or are they going to all wait to get caught and then then get an informal resolution!

    Report
  13. DarrelKwong43

    This will have a big impact on letting agents considering the amount of personal data (alot sensitive) they will hold.  Mapping out the customer journey is an important part of the preparation.

    Report
  14. Simon Bradbury

    Hi Paul,

    Just a little thing (though the wife’s never complained!).

    In your opening sentence you state that if agents are not prepared for GDPR “… on May 28, then you have a wake-up call in store.”

    Err? GDPR enforcement date is May 25th.

    Make sure that you’re awake then dude!

    Report
  15. Emmersons46

    https://services.parliament.uk/bills/2017-19/dataprotection.html

    For those interested in data protection please note that GDPR is not yet finalised. The Bill is progressing through House of Lords and being amended.

    Report
X

You must be logged in to report this comment!

Leave a Reply

Thank you for signing up to our newsletter, we have sent you an email asking you to confirm your subscription. Additionally if you would like to create a free EYE account which allows you to comment on news stories and manage your email subscriptions please enter a password below.