By GDPR is not an acronym which stands for something funny like LOL - it’s an important regulation that every business needs to be made aware of. GDPR is coming into effect in May this year and it will affect your estate agency. We have written what GDPR is and what steps you can take now to help you when it is live.
What is GDPR?
GDPR stands for General Data Protection Regulation. It will supersede the Data Protection Act 1998 (DPA).
What is the point of GDPR?
The aim of GDPR is to protect all EU citizens’* data. We live in a modern and digital society, so the data companies hold, in particular personal data in respect of GDPR, needs to protected and securely held.
GDPR is largely about consent - how you hold a client’s data and what you’re doing with it needs to be fully explained to them and positively agreed to by them.
* Yes we are involved in Brexit; No we don’t entirely know what’s happening there; Yes we are still in the EU; Yes you do need to be GDPR compliant; No you can’t escape this.
When does GDPR take effect?
25th May 2018.
What if I leave it to April as I’m too busy to deal with it now?
Don’t leave it until April to sort it out! See point below. Most estate agencies don’t have 250 employees where you can employ a Data Protection Officer (DPO) to assist your business, which means you have to do this yourself. If you customer list runs into its thousands, you need thousands of positive consents - so start now.
How does this affect my estate agency?
Massively. Non-compliance to GDPR carries a hefty fine - £20 million or 4% of worldwide annual turnover. Below we have our top tips to help you get ready for 25th May 2018.
The fine isn’t to scare you, but that’s what it is and should spur you into action.
Estate Apps’ top tips to help you get ready.
Whilst it sounds complicated it isn’t, however it does mean a review of your current processes and policies. We have provided our top tips to get you GDPR ready.
* Consider getting in a Data Protection Officer (DPO) if you have 250 or over employees. Although majority of estate agencies have less in which case you’ll have to do the processes yourself. The ICO’s website is thoroughly comprehensive and has a 12 step guide to assist you.
* Preparation is a team effort. Get everyone in your business involved. Explain what GDPR is and how it affects property generally. Lead from the top. Please don’t assume you can leave it to your administrator to sort out on their own. If there is a breach or non-compliance the whole business is culpable, not an individual.
* Undertake a data audit. This is important and the crux of getting your business ready:-
- Create a list, preferably in a spreadsheet with headings of all the data you hold for individuals such as first name, last name, email address, home address, work address. Whatever detail you hold against your customers put in the list.
- In property we take varying amounts of personal data, from email addresses, to current address, telephone details, copies of passport information. Any data that is personal to, say, an incoming tenant or buyer, that you hold needs to be accounted for in your data audit.
- If there is no reason for you to have this data remove it. For example, Mr Man has left Company X, you have no forwarding details; you’re certain these details are old; you no longer need to keep in touch with them.
- Once you have your list, contact them. Whatever method you have chosen to create your list, whether on a spreadsheet or through your CRM, get in touch. (Tip: we have found using Mailchimp valuable). Your note has to be explicit in what you are intending to do with their email address (or whatever detail you hold) e.g please click this box to agree to be kept up-to-date with our services, receive property details, our newsletter etc. Do also note under GDPR you cannot have the box pre-ticked, default, to subscribe. You have to give the client the option.
- When you have positive consent, i.e yes I agree to you having my details so I can kept in touch with your services and marketing details, file it. Either save electronically or print and file. It’s up to you. See following point.
- In respect of storing the data, being that many firms are now ‘paperless’, do be aware of where you save your client’s personal information. If, for instance, you use cloud storage the server has to be in the EU. You will have to find a method that suits the way you work, whether that’s storing via an external drive, the Cloud, paper and file, or all.
- Undertaking the data audit will mean you have an audit trail, i.e. you have proof of consent. So if you asked Mr Man of Company X, he’s positively consented, he then receives an email of your latest properties, he asks why have you sent me this, he’s forgotten he gave you permission, you can say “you consented, here’s the email, with date, time and IP address”. Equally, if there are complaints to the ICO about a considerable number of marketing emails, for instance, coming from your firm the ICO are likely to investigate and will need to check your consents. Remember, you cannot make the client consent. If you do not have consent you cannot market to them.
- The revalidation of the list is probably the most concerning for everyone involved in property because most will be thinking there will be a reduction in their client mailing list. Whilst this may be true do think about it strategically. If you have an email marketing list and your open-rate is only 10-20%, consider whether the remainder is your target market that actually want to do business with you. Again, you cannot make the client consent to receiving your marketing details.
- Who in your firm has access to the client data? Staff members: what happens if/when they leave? How long will the data be kept for? For example, once a tenant moves in, will you remove them from your list? We are in an age for desired transparency from businesses, GDPR’s aim is to make the data kept transparent. If a consumer demands to know the details you have of them on file, they are well within their legal rights to access this.
* The privacy and cookies policy on your website will need looking into to. Again, ensure you are compliant. If you’re asking for customer’s details, be sure to state why you are asking for them.
We hope this has been of some help to you. GDPR is coming soon and whilst it may sound a bit scary, it really isn’t. Preparation and action will ensure you are in a great position by 25th May.
These tips we’ve provided are for guidance only, and not be considered legal advice. Whilst we are GDPR aware we urge you to visit the ICO’s website for full disclosure of the steps to take to ensure complete compliance. If in doubt do call the ICO.
