According to research from lawyers Collyer Bristow, over a third of agents know nothing about GDPR. A good slug of others hope that Brexit will get them out of complying with this EU-initiated change, even though the regulations will come into effect before we leave the EU. Grant Jaquest, at Bright Logic (suppliers of Acquaint CRM), says, “Many estate agents are still unaware or unprepared for the challenge of GDPR,” though he’s “working hard” to make sure his own customers are prepared for the change.
While GDPR looks fairly similar to the requirements of the Data Protection Act, it introduces several new factors, which, added together, up the ante significantly. For a start, the fines for a breach of the regulations have been vastly increased; fines can reach up to four per cent of a business’s turnover, with a maximum €20m.
GDPR also demands that data controllers can demonstrate express consent for marketing emails. “This means no more pre-ticked boxes,” says Mike Smith of Lonsdale Insurance Brokers and an opt-out strategy won’t cut the mustard at all. GDPR also introduces two new rights for data subjects: the right to erasure (‘right to be forgotten’), and the right of portability, which allows a customer to ask for their data to be forwarded to another supplier.
At the same time, the individual’s existing right to view the data held on them is maintained, but the £10 fee for each request has been abolished. That adds up to quite a lot of change – a challenge that software systems will have to meet.
SYSTEMS AND SUPPLIERS
Some software providers have already included advice on GDPR readiness on their websites; Reapit, Dezrez and Acquaint CRM, for instance, all have explanatory details, and will be making full GDPR compliance part of their software going forward. Reapit has also announced a series of events with ARLA to explain GDPR and advise agents on preparing for it.
On the other hand, GDPR could make some older systems throw in the towel. Property Software Group has said GDPR has forced it to retire some of its older products (the main Winman product is not affected). That leaves agents with a double problem of getting new software at the same time as changing their business processes to comply with GDPR; not an ideal situation.
The requirement for auditable opt-ins will make particular demands on CRM software; fortunately, most software providers are already on the case. For instance Reapit’s journal – a timeline of every contact with an individual – will be enhanced to improve the recording of consent data, including the IP address where contact has been made via the website. GDPR requirements for data portability, erasure, and subject access requests, too, can all be met automatically. As Daniel Hare, Head of CRM at Reapit, points out, “manually compiling that information would be a real bind.”
Even better news, agents won’t need extra training as this functionality can be built into the system with a minimum of disruption. Bright Logic’s Grant Jaquest says, “We’re trying to make it dead simple and prompt users to do things at the right time.” Audited consent requires one more keystroke, and that’s all.
The right to erasure can also be handled by the software, but the technology is a bit trickier. When you delete someone’s personal ID, you obviously don’t want to delete all the records relating to them; you’d lose all your historical financial data. As Grant Jaquest explains, “All good software products maintain data relationships and integrity, and now we need to deconstruct these in a controlled manner.” So the software handles right to erasure by anonymising the data.
But GDPR isn’t just about the technology you use. Daniel Hare says, “A lot of people perceive it to be a technical issue, but it’s not.” He advises agents to start by doing an audit; analysing what data they hold, and how they use it. He also warns that top management needs to buy in. “I don’t think any external consultant can make an agency compliant,” he says. “You’ve really got to do this internally.”
He also warns that agents who think GDPR is just about consent are missing the point. Consent is a big part of GDPR, and as far as mailing lists and referrals go, it’s the biggest change. But GDPR specifies a number of other reasons for holding and processing data; for instance, when you are exercising a statutory function, such as complying with anti-money-laundering legislation or carrying out right to rent checks. There’s also ‘legitimate interest,’ for instance where a lettings agent forwards data on a tenant in arrears to a collections company – though that interest needs to be balanced with the rights of the data subject.
ISSUES AND GUIDANCE
These areas currently look a bit murky. Daniel Hare says, “We still don’t have the full picture as the ICO hasn’t yet published all of their guidance.” It’s possible that in some areas, it will take a number of test cases in the courts to define the regulations.
There will also be an increasing number of issues around data sharing. An estate agent who is selling a house will still be able to share data with the vendor’s and purchaser’s solicitors, since the data is held for the purpose of making that transaction, but what about a lettings agent who wants to pass tenants’ phone numbers on to, say, an inventory company or a window cleaner?
All good software products maintain data relationships and integrity and now we need to deconstruct these in a controlled manner. Dan Hare, Reapit.
Rochelle Trup, Managing Director of property software firm Arthur, says that under GDPR, “Individuals must explicitly agree to their data being used for different purposes. So for example, the letting agents will need consent to pass on a tenant’s contact details to a contractor for maintenance work.” (GDPR also states that only the data that’s specifically relevant should be shared.)
GDPR also requires data to be securely kept. That duty doesn’t end at the front door of your office; agents need to be sure that the link between themselves and third parties is secure and that the third party has adequate data protection policies in place. Email is unlikely to be secure enough – using a VPN or sharing a secure, password-protected portal may be the answer.
Individuals must explicitly agree to their data being used for different purposes, e.g. the agent needs consent to pass on a tenant’s contact details to a contractor. Rochelle Trupp, Arthur.
CLEAN YOUR DATA
Even if you’ve got your software ready, briefed your staff on the need for auditable consent, and got your software in order, there is a massive problem facing many agents, and that is their existing data. Many firms rely on a huge historical database for their mailing lists. Over the years, they have added “everybody they have ever dealt with, in any way whatever,” says Grant Jaquest, and for many, it has been a successful strategy.
But according to Mike Smith, “you will now need to either re-approach everyone on your mailing list and obtain their consent again in a compliant manner, or alternatively delete this data.”
Losing a massive slug of the mailing list overnight is a scary prospect, so firms that put off requiring opt-in till May 25th could be making a mistake. Firms that ask for opt-ins from individuals already on their mailing lists will probably see some attenuation of their database now, but will avoid hitting a wall in May (or exposing themselves to the possibility of a large fine if they are non-compliant). There is some work involved to ‘clean’ a database, though good software should make it possible to automate the process.
Agents might also want to think about how they can target their marketing better. Individuals who have explicitly opted in are likely to be more receptive to marketing, so moving to a smaller list with a higher click-through rate could be a winning strategy, but it will need some rethinking of how that marketing is going to work.
There are also going to be knock-on impacts on third party businesses. For instance TraceWiseUK says, “It will no longer be possible for us to provide landlord contact data to enable agents to contact landlords for marketing purposes,” – the service will be discontinued in March. While credit reference and other referencing agencies should have got their act together – Lets Safe says it’s already GDPR ready – agents need to ask their providers proactively about any possible issues.
Daniel Hare says, “Referrals are definitely an area to watch, and agents need to map those processes.” Agents who have made referrals into a decent sized source of income may need to think hard about how to address GDPR issues.
There may also be an issue with leads from property portals. GDPR requires data to be used only for the specific purpose for which it was gathered. So if an applicant requests details of a property via Rightmove, the agent can only use that request to send details of that property – not to add the applicant to their mailing list – unless further consent is obtained. Obviously, agents need to include a request for consent with the property particulars, but if they don’t get that consent, there is nothing they can do.
Another aspect of GDPR that all agents need to think about is data retention. GDPR says that data should be disposed of (or anonymised) once it is no longer needed; once the sale of a property has been completed, an agent technically doesn’t need the vendor’s personal data.
A proactive archiving policy isn’t actually required by the new regulations, but it could make compliance quite a lot easier to achieve.
That is all quite a lot of work and far more than just readying the software. In fact, Grant Jaquest says, “The techie side of it is the easy bit!”
The simple things are the most overlooked, like ensuring your computer systems are always up to date and your staff have personal logins. Steven Flatman, PlanUp.
GDPR isn’t just about data processing, either, it’s about keeping data secure, and that applies whether the data is held in a server, on a laptop, or even in paper form. It’s easy to overlook physical data security, but Steve Flatman of PlanUp warns that this can be a terrible mistake. “The simple things in protecting data are normally the most overlooked,” he says, “like ensuring that your computer systems are always up to date, setting personal logins for your staff members and ensuring they lock the machine when they step away from their desk, making sure that you use a good anti-virus software and even locking down work machines to restrict access to certain types of website.”
USB sticks are convenient but can prove dangerous – they’re easy to lose – while many negotiators and property managers go out with data on their unsecured laptops. In some offices, photocopies of people’s passports are left lying on desks or in an unlocked filing cabinet. Particularly for smaller branches where there’ll sometimes only be one member of staff looking after the office, this kind of laxness can lead to trouble. Daniel Hare says, “This is what’s going to lead to breaches of the regulations.”
And regardless of how well you think your systems are protected, as Mike Smith points out, agents are at risk of a cyber attack. In which case, not only will they be reporting a breach to the ICO, but the financial consequences could be very serious, as well as immense damage done to the agent’s reputation. That’s why Lonsdale Insurance Brokers recommend that anyone holding client data should take out cyber insurance, which as well as dealing with any attack “can guide you through the regulatory requirements following a cyber attack or data breach.”
This is all hard work, and for some agents, preparing for GDPR will cost money. But it’s worth remembering that GDPR is about protecting individuals; look at some of the big hacking attacks in the US and you can see just how damaging to a company’s reputation the loss of data can be. It’s about professionalism, too, and about improving client service. So as Daniel Hare says, ignore the scare stories about fines, and think how GDPR can deliver a better service for vendors, purchasers, landlords, and tenants – “let’s do this with a view to actually improving things, not just out of terror”.