The General Data Protection regulation becomes law on May 25th, 2018. It will replace the current UK Data Protection Act 1998 legislation and will give far greater protection to individuals over what personal data is held on them and how it is used.
GDPR affects all businesses in the UK, EU and globally If they hold any form of personal data relating to an individual that resides in the EU. This could be a little as a name and an email address. If you hold personal data then you are liable for that data if it is lost or stolen.
You must ensure that you, and your staff, are aware of where your client personal data is held, where it goes and who has access to it. Your current data protection policies should be reviewed sooner rather than later to make sure you have time to make any changes before the deadline.
There are many key points that need to be addressed to become GDPR compliant, too many to cover in this article alone, below are a few that stand out:
Key members of staff and decision makers need to be aware of GDPR and the impact it is likely to have on your business. They should be sufficiently aware of the new regulation that they can train other staff in compliance. All staff should also be regularly updated on procedures to follow to maintain data securely and what to do if there is a data breach detected.
Know the Information You Hold
Any personal data you hold on an individual will need to be documented if the processing of the data could result in a risk to the rights and freedoms of the individual. You must record:
You may be required to make these records available to the relevant supervisory authority for purposes of an investigation.
IT security is at the forefront of GDPR and making sure that all your IT equipment is as secure as possible is the best way forward. There are a few best practises that can be implemented with little or no effect to increase security:
Some of the main changes in GDPR include the following changes to rights for subjects:
Review your procedures now to ensure they are compliant with individuals rights, including how you will delete personal data, or how you will provide the electronic or digital data if a Subject Access Request is made.
Under GDPR you will have one month rather than the current 40 days to respond to a SAR. Review your SAR procedures now and plan how you will implement the new timescales in your business. You can no longer charge for supplying the data (you can charge a reasonable admin fee if it is a complex request) and if you refuse a request you must inform the subject why it has been refused.
If you don't already, you will need to review how you request, record and manage consent and whether you need to make any changes to your policies. Estates IT will be making changes to contact and registration pages on websites to require positive opt-ins for consent. We are also making lots of changes in PCHomes that will require you to have obtained consent to store personal data. The new regulations also require you to have an uncomplicated way for consent to be withdrawn. Contrary to some misconceptions you are not required to automatically refresh consent where it already meets GDPR requirements.
GDPR requires a lawful basis for processing personal data. If a person has requested a service from your business and you take their details and store them during the course of supplying a service to them, this is a lawful basis for holding the data. However, storing data forever will no longer be allowed, so if you have personal details of old applicants stored in PCHomes who you have had no contact with for years, now would be a great time to review and clean up your database. As a general rule of thumb, if there has been no contact for 2+ years you should delete the information. However, where you have old tenant or landlord details who you have financial history or records for, this would constitute a lawful basis for holding the data.
GDPR will require data breaches to be notified to the ICO. However, you only need to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals; if for example it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
Data controllers must put technical and organisational measures in place to minimise personal data processing. They must also only process and store data that is necessary. Estates IT are putting measures into place that will enable you to record consent within PCHomes, and to remove or anonymise sensitive personal information where necessary.
This shouldn't affect the majority of estate agents, as companies who employ under 250 staff have no need to appoint a DPO. If you do want to have an appointed person who deals with GDPR the consensus is that you shouldn't call them a DPO, but instead a data protection administrator or similar as once you have employed a data Protection Officer they will be wholly responsible for GDPR at your company.
The penalties for falling short of GDPR compliance are higher than ever and fines of up to 20 Million Euros or 4% of annual global turnover have been mentioned. However, in practice, this is highly unlikely to happen except in the most severe data breaches. The ICO state on their blog that fines will be proportionate, and won't be issued in the case of every infringement. They also say that if a data breach isn't likely to result in a risk to people's rights and freedoms there will be no need to report the breach.
The current Data protection act is woefully outdated and the new GDP regulations are sorely needed. Treat your client's and staff data as you would like your data treated by other companies.
Please take the time to read the below links and find out how GDPR affects your business and what you need to do to become fully compliant.
Above all, make sure you understand your own obligations in becoming GDPR compliant, as there is only so much your software provider can do for you. The rest is up to you.
Our estate agent software enables you to control and manage personal data that is stored within your database system. The latest versions of this software give you various tools and screens to help you with managing consent and privacy. If you are a PCHomes Plus Estate Agent Cloud Software user then this also help protect your data in a secure environment all within the UK.