Leading GDPR compliance experts have warned that the property industry has become too relaxed about the pitfalls of data management errors, leaving them exposed to claims.
They have told The Negotiator that poor internal data protection processes and a lack of investment in ensuring staff comply with the three-year-old regulations mean some organisations within the property industry, but particularly estate agencies and house builders, are exposed to both being named-and-shamed by the Information Commissioner or having to pay compensation for data losses or illegal disclosure.
One of the key worries for agencies is when disgruntled clients realise they can ‘exact revenge’ by putting in a Data Subject Access Request (DSAR), which requires the company involved to pull together all the information held about the person within their systems and hand it over.
Not only does this take eons of admin work particularly if a person has a common name, but it can reveal a data loss – for example a mortgage broker being sent a buyer’s personal contact details without the person’s consent.
Technically, under GDPR regulations, data loss means the ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed’.
If such a breach has happened then compensation can be claimed via the Information Commissioner’s Office ranging from a few hundred to several thousand pounds.
One expert has told us that there are several ‘no-win, no-fee’ law firms now helping both individuals make claims against companies over GDPR breaches via DSARs and that adverts for this kind of service are now easy to find via a Google search.
“There’s very little property firms can do because people are people and sharing information about clients has been endemic within most industries for years, and particularly so within the property industry,” says Richard Smith of software provider DPOPlus
One company tackling this challenge is Spicerhaart which a Freedom of Information request shown to The Neg reveals has reported 32 breaches since GDPR kicked off in May 2018 including ten over the past 12 months.
Approximately half are the most common breach – when a company takes longer than the maximum 30 days to response to a DSAR.
Steve Lamb (pictured), Spicerhaart’s Chief Information Officer, says: “We have always taken data protection very seriously and we encourage our workforce to report any accidental data breach to our in-house Data Protection Officer and team, who also deal with any Subject Access Requests.
“In most cases, a data breach is caused by human error, perhaps someone rushing to finish an email and sending it to the wrong email address or with the wrong attachment.
“The sender has to notify the recipient and ask them to remove it permanently, plus report it to our Data Protection Officer who investigates further.
“They communicate to all parties involved, determine subject risk and whether it needs to be reported to the Information Commissioners Office. Between Subject Access Requests and Breaches, the ICO have been involved in about 10 cases a year since GDPR was introduced, none of which have led to any warnings or fines.
“The more time consuming aspects are the DSARs. We find these mainly arise in lettings due to the variety of relationships that exist, such as landlords, some with multiple properties and tenancies over time, as well as contractors and property management suppliers.
“It is not uncommon that tenants not happy with a landlord or property will log a complaint and follow through with a Subject Access Request to find out more information.”