After 4 years of debate, the new GDPR General Date Protection Regulations were passed through the European parliament on 14th April 2016 and will come into force on the 25th May 2018.
For most Estate Agents their database is the goldmine and source of contacts for prospecting, so it will come as quite a blow, on top of the huge loss of income for those also trading in lettings when the tenant fee ban comes into force, to lose their database gathered over many years of trading. So there is lots of discussion about what will happen to the ‘database’ when the new regulations come into effect but the most important thing to remember is that there will be a fine for breach of regulations to the tune of 4% of your global turnover or €20 million – whatever is higher, so you need to ensure that compliance is paramount and here’s your checklist:
- These regulations cover a much broader spectrum than previous Data Protection Laws, including IP addresses and key-coded or encrypted data. So your customers MUST consent to being contacted and must easily be able to withdraw from receiving correspondence or calls from you. You cannot even send past clients a Christmas card unless they have given their consent.
- Soft ‘opt-ins’ are no longer an option, that’s where you automatically opt someone into your newsletter or correspondence UNLESS someone ticks that they don’t want to receive it. It is best practice to do a double opt-in so that you have definite proof, that’s where you fire off an automatic email to complete the opt-in process, and the client has to click on the link to finalise.
- Businesses MUST delete and destroy personal data as soon as it is no longer relevant for the purpose it was given.
- Businesses MUST be able to show records of how an individual opted into receiving your DATA and it is advisable for that to be date stamped and initialled by a team member.
- Decision makers and key staff members must be aware of the changes in the law so it is advisable to have a Data Protection Officer who pushes through the regulations to the team, although only companies with 250 staff or more MUST have a DPO.
- Make sure that you set out your company systems and processes to reflect the changes in your compliance of the regulations and change your privacy notices to cover any changes.
- Individuals can request a FREE digital copy of their data from you so have a process for providing this. It is also possible for data transfers to be requested by individuals, so you need to be able to provide that.
- You MUST notify the supervisory authority of any breach of regulations within 72 hours. So if you get hacked, or if you lose a laptop or PC with sensitive data on it, or company phones with access to your software systems go missing, these all need to be reported and investigated by you.
- Finally, remember to BLIND COPY your email addresses and don’t send a Round-Robin email out with everyone’s data on show!
So that’s the nuts and bolts of the legislation so get speaking to all of your clients and ask for their opt-in, get it recorded, double it up with a confirmation email, keep details on file, make sure that all of your staff are on board and GOOD LUCK.
You can read more information here: http://www.eugdpr.org/