Time is running out to prepare for privacy regulation

At a time when commercial real estate is still grappling with the complexity of big data, an upcoming regulation may have gone unnoticed by the sector – or rather the fact that it’s just as applicable to real estate businesses. Thursday, 25 May marked the beginning of the one-year countdown until the General Data Protection Regulation (GDPR) comes into force. But how does this apply to commercial real estate? Well, this game-changing piece of regulation requires that all organisations enhance the way they collect, use, retain and disclose personal data of EU citizens, and real estate businesses are by no means an exception to the rule. In truth, some real estate businesses are more attune to what data they possess or are collecting than others but unfortunately being oblivious does not constitute a get-out clause – and the penalties are severe. In fact, non-compliance can result in fines of up to 4 per cent of global turnover or €20m (£17.5m), whichever is higher. With the stakes so high, it’s certainly time to take a second look at those spreadsheets. In truth, such data requires a much wider lens, with the regulation extending from your dealings with suppliers and customers (sole traders or partnerships) to using an individual’s personal data to market a property or service. Interestingly, the regulation also extends to management companies using CCTV in communal areas of a property or a landlord obtaining a reference from a prospective tenant. Over the next 12 months, or what’s left of that time, all UK businesses must implement strong governance process to ensure that a customer’s personal identifiable information is stored securely and disposed of property, at the right time and in the right way. This is clearly a momentous task and one that need to be started as a matter of urgency. And before you say it, you could be forgiven for thinking that Brexit might mean this regulation no longer applies to UK businesses but the UK will still be part of the EU when GDPR comes into force in May 2018. Moreover, even when Article 50 is concluded, GDPR will still apply to organisations that process personal data of European Citizens and it is likely the UK will have a similar regulation in place. So what next? Now is the time to raise awareness at board level, as it’s critical the implications are known and that funding is in place to undertake a privacy improvement programme. This programme should review what data your firm holds, as well as any rogue (and non-compliant) databases your business has. You then need to review how this data is collected, how individuals are informed and how the data is ultimately used. This approach will enable agreed policies and procedures, including what to do in the event of a data breach. This all might appear quite cumbersome but, in reality, taking stock of what data a business has – including real estate firms – has its advantages, too. The property landscape is changing quickly and in order to remain relevant today, an audit of what you have at your disposal to might unearth some leverage.