GDPR one year on: time for real estate to take stock

A year has passed since businesses were scrambling to prepare for the EU’s General Data Protection Regulation (GDPR), implemented in the UK by the Data Protection Act 2018. While the sky didn’t cave in on 25 May 2018, the GDPR is no millennium bug: data protection is here to stay, irrespective of Brexit. As an industry handling large volumes of data relating to landlords, tenants, vendors, purchasers and investors, commercial real estate agents cannot afford to be complacent. The fines are coming The UK’s data protection regulator – the Information Commissioner’s Office (ICO) – has spent the past 12 months harmonising its approach with other EU data protection authorities and closing legacy investigations under the old legislation. While it has yet to impose fines under the GDPR of up to the greater of €20m (£17.7m) or 4% of worldwide turnover, the ICO is widely expected to show its teeth soon. Now, then, is the time to ensure that real estate businesses avoid getting bitten by ensuring that they are sufficiently resourced and streamlined to handle a personal data breach. Remember, if personal data under your control is compromised, you must act quickly to investigate the breach, and, if it is confirmed as a risk to individuals’ rights and freedoms, notify the ICO within 72 hours. If the breach poses a high risk to the private life of the affected individuals, they will need to be notified too. Getting your lawful bases for processing right It is a common misconception that GDPR fines may only be imposed in the event of a data breach. When Google was fined €50m in January by the French regulator, this was partly due to its lack of a lawful basis for processing personal data. It is therefore crucial to be clear about which lawful basis you are relying on when processing a particular personal data set. Consent from individuals is not always the appropriate ground for processing their personal data. If, for example, you act as a letting agent, your sharing of tenants’ details with third-party referencing agencies to prevent money laundering and fraud is necessary for your legitimate interests (one lawful basis) and for compliance with your legal obligations (another lawful basis). However, with direct marketing rules expected to be tightened under the EU’s upcoming ePrivacy Regulation, processing for sales and marketing purposes will almost certainly require customers’ consent, which must be freely given, specific, informed and unambiguous. To ensure reliance on the correct lawful bases for processing, identify the different types of customers and their data and follow their respective journeys. For example, a prospective purchaser’s data is likely to include their name, e-mail address, phone number and buying position, and will be used to process requests for property information, including any viewings. Their name and buying position may be disclosed to sellers of properties they’re interested in. The “legitimate interests” basis might apply here. Once a buyer who has signed up with an agency has identified a property to purchase, their personal data set will also include their financial information, which will be used when processing any offers. The applicable lawful basis will most likely be to enable you to perform your contractual obligations. (Re)training staff It is crucial that staff handling the data understand their obligations. Representatives who note down potential buyers’ details, for instance, should know to send to those prospects a copy of your organisation’s privacy policy (a hyperlink to it in a confirmation e-mail would suffice). It is important to repeat and refresh GDPR training regularly. The publicity surrounding the GDPR has increased consumers’ awareness of their data rights, as evidenced by the rise in the number of subject access requests (SARs) made since May 2018. If your staff are trained on how to recognise SARs, you will be well placed to respond to them without delay and within one month, as per the GDPR. If you do ever have to report a security breach to the ICO, remember that you will be asked whether your staff have received data protection training in the previous two years. Revisiting your physical security and retention periods With recent press coverage focusing on cybersecurity breaches, it is easy to forget that physical security is an integral component of GDPR compliance. Personal data is still recorded on paper as well as digitally. Since many estate agents have open-plan offices, there is a risk that anyone entering them could view personal data on monitors or steal information left on desks. As a precaution, consider implementing locked-screen and clear-desk policies. If, like many agents, you use CCTV at your premises, check that your notices are adequately sized and your CCTV monitoring is reflected in your notification details to the ICO. Even if you have the tightest security, it is likely that you will need to revisit your data retention periods. When the ICO visited selected sales and lettings agencies in 2016, it found a quarter of them were retaining related electronic information indefinitely. Once a deal has been completed, consider for how long you need to retain the related data and what the lawful basis for retaining it is. It is helpful to view data minimisation as a help rather than a hindrance: if you no longer hold unnecessary personal data, there is less chance of it being breached. The best way to adapt to the new regulatory environment is to embed data protection processes throughout a real estate business, rather than simply viewing it as a compliance function. If this is done correctly, you will be rewarded with customer loyalty, an improved brand and the opportunity to expand your services. Raj Shah is an associate in the commercial and data privacy teams at Collyer Bristow Photo: Shutterstock