The General Data Protection Regulation (GDPR) was the biggest upheaval of European data regulations since 1998’s Data Protection Act and it will continue to have an impact on just about every kind of business you can think of.
Letting agents need to constantly monitor the way they process and store the personal data of their customers and leads to ensure they're compliant with GDPR. The repercussions for those who don’t could be extremely damaging, with serious violators facing fines of up to €20m or 4% of turnover - whichever is greater.
We've put together a quick guide on ensuring your agency is GDPR-compliant.
Audit your current data
Take the time to run a thorough audit of your existing customer information. What data do you hold and what do you do with it? How is it collected, and who is responsible for it? What data is held explicitly by your agency (local spreadsheets, for example) and what is stored via a third party (such as a cloud-based property management system)? You need to be able to clearly demonstrate how data flows into, through, and out of your agency, as well as processes for deletion and justification for retention.
Opt-in forms - record and manage consent
From 25 May, it will no longer be okay to provide pre-checked ‘opt in to marketing’ (or unchecked opt out) tick boxes when people choose to provide you with their personal data via your website or a landing page. They need to explicitly opt in to receiving future marketing communications from you, so make sure you prepare to update your contact forms with an empty checkbox and a corresponding invitation to tick it in order to stay up to date with your news, offers, or anything else in your marketing arsenal. You will also need to track this consent and be able to demonstrate how and when it was obtained, so ensure that any CRM tool you use is set up to do this. While an opt-in only approach may lead to a slowdown in mailing list growth in terms of pure numbers, think of the positives - it should ensure that those who do subscribe have a genuine interest in your agency and what you may have to offer.
Secure your website
If your website involves the transfer of any kind of personally identifiable data, it will need to have an SSL certificate (https). So whether it’s a form that a potential tenant can fill out to register for property alerts or live chat support functionality, if your site allows a user to send you their personal information then that data needs to be secure.
Take a long hard look through your filing cabinets
The focus of GDPR is frequently on digital records, however it is important not to ignore the impact it will have on paper documents as well. One of the key principles of the GDPR is the right to be forgotten - that is, the right for any individual to request the removal of any data an organisation may hold about them when it is no longer relevant ‘without undue delay’. Can you confidently say you’ll be able to fulfil this obligation?
Check your partners and suppliers
They need to be GDPR compliant too! When it comes to the personal information of your customers, you are the data controller. Chances are, however, that you outsource some of the processing of this data to third party data processors, such as suppliers of cloud-based CRM or property management systems. You will need to obtain confirmation of their GDPR compliance and ensure any contracts are updated accordingly - the data controller is ultimately responsible for ensuring that the data is processed correctly.
Have a breach response plan in place
If the worst happens and you suffer a data breach involving the loss of customer details, you will need to notify the relevant authority within 72 hours. You may also have to let the data subject know ‘without undue delay’ as well, so it’s important that you have a process in place whereby you can fulfil these obligations in a timely manner.
Put GDPR at the heart of everything
The GDPR is not just for legal or IT teams to worry about - it’s a responsibility for anyone who handles any kind of personal data, however seemingly insignificant. Because of this, everyone at your agency needs to assess the personal information they capture, how it is used, and where it is held. Under the GDPR there will be no excuse for not knowing about particularly well-hidden data, or your obligations as as whole.
It's important to note that this article isn't exhaustive, doesn't constitute legal advice for ensuring compliance with the GDPR and is intended purely to get letting agents thinking carefully about some of the key issues that surround the upcoming regulations.