On 25 May 2018, the General Data Protection Regulation (GDPR) comes into force in the UK, regardless of the UK’s decision to leave the EU. The GDPR is going to affect all businesses handling sensitive or personal data – in the property world that could be anyone, from landlords to property managers, contractors to estate agents. And it’s not just a toothless regulation that will be largely unenforceable – the GDPR will, among other things, give the ICO the power to impose significant fines of up to €20m, or 4% of annual global turnover.
Preparing for the GDPR day to day
Data is increasingly valuable to functions such as marketing and strategy and so property sector businesses have been collecting it in larger volumes in recent years. Any entity previously subject to the Data Protection Act is likely to have to comply with the GDPR, particularly where large volumes of data are in play. The GDPR covers both personal data (anything that could be used to identify a person) and sensitive data (e.g. genetic data or political views). Everything, from rent and payments collection data to property purchase and work invoices could be covered by the GDPR and the pressure is now on to ensure this is more responsibly and efficiently managed. For those in the property world, key GDPR changes could include:
- Review of the data that is currently collected from property customers and how that data is protected and managed within the organisation.
- New internal systems for responding quickly to requests about personal data held and for access to that data.
- The requirement to employ a Data Protection Officer with the requisite level of expert skill for businesses that are carrying out “regular and systematic monitoring” of individuals or processing a lot of sensitive data.
- Updates to data protection policies to ensure compliance across an organisation – the GDPR will make businesses much more accountable for the way data is handled than ever before, including reporting data breaches to the ICO and producing evidence of compliance where required.
- Reviewing existing documents, such as property management agreements, to ensure that they are compliant with the requirements of the GDPR and allocate risk fairly between the parties involved.
- Upgrades to data security to minimise the risk of a data breach.
25 May next year will be a significant day for any business handling data in the UK. Given the potential reputational damage and financial penalties involved in a lack of GDPR compliance, preparation now is key.
Have an opinion? We’d love to hear your thoughts. Tweet us @nimbusmaps.