It’s now already been three years since GDPR for estate agents took effect. The changes prompted industries to overhaul their use of client and other personal data.
That led to several high-profile breaches and prosecutions. And the property sector wasn’t immune.
One independent agency in London was fine £80,000 after the Information Commissioner’s Office (ICO) found it had left 18,610 customers’ personal data exposed for almost two years.
Covid-19 has introduced even more challenges. The movement of data between property owners, agents, legal professionals and tenants has moved online. So what are the new frontiers in terms of GDPR for estate agents?
Propertymark CEO Nathan Emerson believes most of the industry is complying or trying their best to comply – and that Covid-19 has even resulted in some positives.
“One of the biggest areas of change has been the removal of paper from day-to-day transactions,” he said. “A lot of operating systems that agents use such as CRMs have GDPR compliance built in.
“The advent of proptech and online storage solutions actually puts the industry in a much more compliant place than before.”
If they don’t comply with GDPR rules, companies face the prospect of losing 2-4% of their annual global revenue for serious violations.
So far, fines have come nowhere near that mark. But agents shouldn’t be complacent, according to partner at JMW solicitors David Smith, who has written a book on the subject, “A Practical Guide to GDPR for Property Professionals”.
He said fines have been given to companies around data loss while there has also been an increase in court claims.
Leading anti-money laundering firm, SmartSearch, recently warned that many businesses may be at risk of being in breach of GDPR rules. And, brokers, lenders and conveyancers were among those most at risk.
SmartSearch attributes this to the fact that many firms within property are still reliant on physical copies of personal documents.
Although GDPR rules were initially drafted and passed by the European Union, UK GDPR is now in place which mirrors the EU version. However, the ICO, which upholds information rights in the UK and EU, continues to oversee data protection.
UK GDPR follows similar principles, although the UK now has the power to review and amend regulatory rules.
Last month, the EU formally recognised the UK’s data protection standards and allowed the continued seamless flow of personal data from the EU to the UK.
But, if you serve customers living in the EU and need to process their data, you need to ensure you comply with EU GDPR when doing so, even if you’re based in the UK.
“People forget that you’re required to have a representative where you process data, so if you’re dealing with landlords in the EU for example, you’d need an office in an EEA country or an EU representative,” advises Smith.
He warned that using well-known US email marketing services can be fraught with problems too. Companies should carry out a risk assessment if they do use them.
The Cambridge Network advises that moving forward, companies may need to alter their GDPR policies and processes to align with UK GDPR. That includes changing relevant documentation.
This may include updating the following to reflect the UK as independent of the EU and to represent the wording shown in the UK GPDR regulation:
But will GDPR even survive once the UK begins to deconstruct EU law?
Some political commentators and advisors want it watered down. This includes the Taskforce on Innovation, Growth and Regulatory Reform.
Its report labels GDPR as prescriptive, inflexible and particularly onerous for smaller companies and charities.
The task force believes there are other ways to process data that don’t require consent. The Taskforce suggested creating a UK Framework of Citizen Data Rights.
This, it argues, would give people greater control of their data while allowing data to flow more freely.
It’s fair to say GDPR hasn’t had a great press in Europe either. EU privacy commissioner Johannes Caspar recently stepped down, calling it “broken” and blamed infighting for rendering it ineffective in regulating big tech firms.
Caspar pointed to a backlog of 28 cases against big tech firms in the Republic of Ireland as a red flag for GDPR dysfunction.
The government might try to give it a light touch so that in the future, firms might even find that they are over-compliant, reckoned Smith.
But in the meantime, while it still holds sway, he reasons that knowledge is power.
“Agents should know what their responsibilities are and carry out staff training, ” he added.