With 25 May 2018 and the arrival of the GDPR looming ominously on the horizon, there’s never been a more important time for letting agents to take stock of their working practices and systems when it comes to the data they are responsible for.
The General Data Protection Regulation (GDPR) is the biggest upheaval of European data regulations since 1998’s Data Protection Act and it will have an impact on just about every kind of business you can think of. Letting agents will need to look carefully at the way they process and store the personal data of their customers and leads, and if necessary make some fundamental changes to the way they go about their business before the GDPR takes effect. The repercussions for those who don’t could be extremely damaging, with serious violators facing fines of up to €20m or 4% of turnover - whichever is greater.
There is still time to get your house in order though, and the more you can prepare in advance the better. Here are eight tips to help you get ready for 25 May, and minimise your chances of falling foul of the new rules and being made an early example of by the ICO...
1 Lead from the boardroom
The GDPR will affect all letting agency employees in one way or another, so it’s vital for senior management to lead by example and demonstrate a sense of urgency to ensure that everyone is versed on the importance of adhering to new data protection rules across the whole organisation.
2 Audit your current data
Take the time to run a thorough audit of your existing customer information. What data do you hold and what do you do with it? How is it collected, and who is responsible for it? What data is held explicitly by your agency (local spreadsheets, for example) and what is stored via a third party (such as a cloud-based property management system)? You need to be able to clearly demonstrate how data flows into, through, and out of your agency, as well as processes for deletion and justification for retention.
3 Opt-in forms - record and manage consent
From 25 May, it will no longer be okay to provide pre-checked ‘opt in to marketing’ (or unchecked opt out) tick boxes when people choose to provide you with their personal data via your website or a landing page. They need to explicitly opt in to receiving future marketing communications from you, so make sure you prepare to update your contact forms with an empty checkbox and a corresponding invitation to tick it in order to stay up to date with your news, offers, or anything else in your marketing arsenal. You will also need to track this consent and be able to demonstrate how and when it was obtained, so ensure that any CRM tool you use is set up to do this. While an opt-in only approach may lead to a slowdown in mailing list growth in terms of pure numbers, think of the positives - it should ensure that those who do subscribe have a genuine interest in your agency and what you may have to offer.
4 Secure your website
If your website involves the transfer of any kind of personally identifiable data, it will need to have an SSL certificate (https). So whether it’s a form that a potential tenant can fill out to register for property alerts or live chat support functionality, if your site allows a user to send you their personal information then that data needs to be secure.
5 Take a long hard look through your filing cabinets
The focus of GDPR is frequently on digital records, however it is important not to ignore the impact it will have on paper documents as well. One of the key principles of the GDPR is the right to be forgotten - that is, the right for any individual to request the removal of any data an organisation may hold about them when it is no longer relevant ‘without undue delay’. Can you confidently say you’ll be able to fulfil this obligation? Quick tip: if you use Goodlord, the whole tenancy process is handled digitally and there will be no paper documents for you to worry about at this stage! Book a demo here.
6 Check your partners and suppliers
They need to be GDPR compliant too! When it comes to the personal information of your customers, you are the data controller. Chances are, however, that you outsource some of the processing of this data to third party data processors, such as suppliers of cloud-based CRM or property management systems. You will need to obtain confirmation of their GDPR compliance and ensure any contracts are updated accordingly - the data controller is ultimately responsible for ensuring that the data is processed correctly.
7 Have a breach response plan in place
If the worst happens and you suffer a data breach involving the loss of customer details, you will need to notify the relevant authority within 72 hours. You may also have to let the data subject know ‘without undue delay’ as well, so it’s important that you have a process in place whereby you can fulfil these obligations in a timely manner.
8 Put GDPR at the heart of everything
The GDPR is not just for legal or IT teams to worry about - it’s a responsibility for anyone who handles any kind of personal data, however seemingly insignificant. Because of this, everyone at your agency needs to assess the personal information they capture, how it is used, and where it is held. Under the GDPR there will be no excuse for not knowing about particularly well-hidden data, or your obligations as as whole.
A challenge and an opportunity
The GDPR represents a challenge to letting agencies everywhere, but it also provides a huge opportunity for you to get your data in order and make your ongoing property and tenant management processes (not to mention your marketing) more efficient and with a better return on spend. If your agency has sorted out its data and GDPR compliance by 25 May 2018, you will be at a clear competitive advantage to those who haven’t.
It's important to note that this article isn't exhaustive, doesn't constitute legal advice for ensuring compliance with the GDPR and is intended purely to get letting agents thinking carefully about some of the key issues that surround the upcoming regulations.