General Data Protection Regulation (GDPR) is in the process of being updated, replacing the previous 1995 data protection directive. The discussions started in May 2016 and the new law will officially come into force as of May 25, 2018. The European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. Understandably the property industry will be largely affected, as will the way recruitment agents go about business but provided we prepare accordingly, business will continue as usual.
What are the new requirements?
- Privacy by Design (PbD) – has always played a part in EU data regulations. However, its principles of minimizing data collection, retention and gaining consent from consumers when processing data are more explicitly formalized.
- Data Protection Impact Assessments (DPIA) – When certain data associated with subjects is to be processed, companies will have to first analyze the risks to their privacy.
- Right to Erasure and To Be Forgotten – There’s been a long-standing requirement in the DPD allowing consumers to request that their data be deleted. The GDPR extends this right to include data published on the web.
- Extraterritoriality – Even if a company doesn’t have a physical presence in the EU but collects data about EU data subjects — for example, through a web site—then all the requirements of GDPR are in effect. In other words, the new law will extend outside the EU.
- Breach notification – A new requirement, companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. Data subjects will also have to notified but only if the data poses a “high risk to their rights and freedoms”.
- Fines – The GDPR has a tiered penalty structure that will take a large bite out of offender’s funds. More serious infringements can merit a fine of up to £20 million or 4% of a company’s global revenue (whichever is greater.)
How will this affect estate agents?
An important part of the GDPR revision is to ensure data processes protect the rights of individuals. Within an estate agency, an organised data protection programme will need to be established ensuring all data is recorded. This obligation extends to any third-party contractors or partners working with a business, and will present real estate companies with much greater legal liability in the event of error.
This data will include:
- rent and payments collection data;
- energy usage data;
- building and car parking security data;
- property occupancy data; and
- contracts between the property owner or fund manager and the property manager.
What should you be considering now?
- Consider what personal data you collect and how it is used, shared and otherwise processed.
- Review and update existing property management agreements to ensure that they meet the more onerous requirements of the GDPR, and properly allocate risk between the property manager and the fund or business contracting with the property manager;
- Finalise internal policies, procedures and governance structures ensuring you provide the correct resources to train your team effectively, remaining up-to-date with on-going compliance regulations.
- Plan for data breaches by having a clear actionable process in which to identify who or what is accountable is advised. You may need to show that you have adequate cyber security in place and that compliance is monitored.
What about Brexit?
The UK is implementing a new Data Protection Bill which has been drafted and whilst there are some small changes, our own law will be largely the same.
GKR London Property Recruitment specialise in placing property professionals across London, Greater London & surrounding Home Counties. We support our clients to achieve their growth strategy and partner alongside them to provide them with insight and knowledge into the wider industry. If you are looking for support, get in touch with GKR today to speak to one of our consultants.