Let’s assume data security is not top of your to-do list. But our increasingly digital world is making it more and more important. Michael Day of Integra Property Services warns that protecting customer data isn’t optional. “You have to register with the Information Commissioner’s Office (ICO),” he says, “which a lot of agents don’t realise.” Any business which holds personal, identifiable information – whether on customers, applicants, or employees – needs to register, and not registering exposes the business to criminal prosecution with a potentially unlimited fine. While larger corporates and franchises have teams devoted to data management and compliance, smaller firms often don’t realise the full implications of the Data Protection Act.
The UK’s data security regulations don’t just cover the data that a business holds, but the purpose for which it is held. As Michael Day says, “You have to treat that information with respect, only use that information for the purpose it was given to you, and keep it secure.”
Does that sound like hard work? It needn’t be. Buying agent Henry Pryor says he manages basic compliance easily. “It’s not onerous. I sign up [to the ICO] every year, pay my £35, and look after the data. I password protect all customer data and back it up, and I don’t broadcast it.”
Not ‘broadcasting’ personal data means, for instance, not making referrals without permission, and not passing on a customer’s details to another agent without consent. That can make sharing vendors’ data with other agents tricky, though that’s something that can be covered off in the terms and conditions if you are smart.
Any business which holds personal, identifiable information must register with the Information Commissioner’s Office. It isn’t optional!
Michael Day points out that if someone registers to buy a house, passing their details to a conveyancer or mortgage broker should only be done with their consent. That’s true even if the business is in-house, since in most cases it’s a white label business and not under the same ownership. In fact, he says, getting consent is good business as well as good compliance, “since cold calling is bad business anyway.”
Data protection rules have also tightened up on using personal data to create email ad other marketing lists; Michael Day says “mailing lists should be opt-in, rather than opt-out”, and agents must ensure individuals can easily remove themselves from the list. You can’t necessarily assume that someone asking for details of a single particular property is interested in receiving updates on all properties in your inventory. (It’s also worth pointing out that apart from any data protection implications, pre-checked opt-in buttons are often seen by consumers as slightly underhand ways of subscribing them to spam. Make sure your opt-in/out policy doesn’t just comply with the regulations, but also looks straightforward and honest to your potential customers, and remember that every email sent to a list should have details on how to unsubscribe added at the bottom.)
Henry Pryor says, “Once someone’s bought or sold a property then in theory you should remove their information from your database,” since it is no longer useful – though many estate agents will continue to hold the data on the basis that in the long term, the individual may move again.
More generally, dumping print-outs of personal data in a bin-bag breaches the regulations; but equally, so could selling or throwing out computers without ensuring the data has not just been deleted, but totally wiped from the hard disk. Mark Goddard says, “Just because you think you’ve deleted it, that’s not bombproof.”
RISKS AND PROTECTION
Software can help agents protect their data. Mark Goddard says, “There are inherent challenges around how much access staff have to certain information. If you allow all staff open access to user data, you are at risk. The more people have visibility of stuff, the more risk there is.” By creating role-based access policies, software can limit employees’ ability to view or change data – not everyone needs access to bank account details, for instance.
You may share data with your software provider, portals, vendors and landlords and with outsourced service providers. It needs to be secure. Mark Goddard, ZPG.
Password protection also helps ensure data doesn’t end up in the wrong hands. But Goddard points out that just having passwords isn’t enough. “The password needs to be changed regularly so that if people leave they can’t get in,” he says. Firms need to manage users actively so that as soon as someone leaves the firm, their passwords are revoked. Such policies can be automated through software – but the firm needs to create a policy to start with.
He also advises agents to “Make sure your systems are backed up at all times,” explaining that “servers have a habit of going bang.” Agents who use a cloud software provider should ensure that backup is provided as a standard service (it generally is). But just backing up isn’t enough; firms need to know how to restore the data, and a trial restore from time to time can be useful not just in ensuring relevant staff know how to do it, but in checking the completeness and integrity of the backup data.
Keeping different databases can cause problems, for instance when someone wants to be taken off the mailing list but their details are only taken off the client database and not the mailing version. “Data duplication and trying to keep two different files in sync is a nightmare,” he says; “Eliminating data duplication is the Holy Grail.” Again, choosing a good software system can help to avoid such problems.
Ring-fencing data used to be simple in a world when computer systems were less connected than they are today. Now, agents may be sharing data with software providers, with Rightmove and other portals, with vendors and landlords through online portals or messaging systems, and with outsourced service providers. “Everyone is moving quite a lot of data around,” Mark Goddard says, “so you need to make sure they have really secure mechanisms.” Policies for what information can and can’t be shared with each counterparty need to be created; agents need to know exactly where data is going and how it is being used. Such communications also need to be secured to avoid data breaches. Goddard suggests that agents should use encryption for sensitive data such as bank and credit card details.
Can the software do it all for agents? Unfortunately not. Even if you’re using a cloud service, and all the data is held on your software provider’s servers, if you collect and control the data, then you are the Data Controller under the terms of the Act and they are not. That basic responsibility can’t be delegated.
Agents also have a duty to do due diligence on the software they’re using. That’s particularly important for users of cloud-based software. Mark Goddard says, “The key thing for any cloud-based software provider is who they use for the cloud – who is behind them.” Some use small providers which may not be resilient, while others use huge providers like Amazon. “If Amazon goes down, half the world goes down,” Goddard reckons.
He also notes that new legislation – the EU’s General Data Protection Regulation – will take effect in May 2018, “putting a lot more responsibility on people who handle data and on data processors”. While it hasn’t been widely reported, good software companies should be aware of it and should already be putting plans in place for complying, “rather than waiting for the drop-dead date.”
Even with all the best systems in place, agents can still come a cropper. For instance, Henry Pryor says, email can present a major pitfall. “Instead of bcc’ing, junior staff sometimes put the recipients’ email addresses all in the ‘to’ column, so everyone who gets the email can see them, and that is a breach of the regulations.”
And some agents are definitely pushing the boundaries. For instance, in 2012 a lettings agent was fined after trying to get information about tenants from the local council over the phone. ‘Creative’ ways of sourcing leads can also be problematic, particularly where personal data is gained through unfair or deceptive means. If a negotiator leaves one firm and joins another, taking the client and applicant databases with him, that could nowadays expose both firms to prosecution – the first firm for not protecting the data, and the second firm for illicitly acquiring it.
Once someone has bought or sold a property then, in theory, you should remove all their information from your database, since it’s no longer useful. Henry Pryor, Buying Agent.
But still, the biggest cause for agents getting fined remains simply not registering with the ICO. So there’s still a lot to do when it comes to getting data protection right in the agency sector.