Comprehensive Guide to GDPR Compliance for Irish Real Estate Businesses
On Friday 25th May the new GDPR (General Data Protection Regulation) rules come into force and the question remains; Is your property business prepared for it and its many guidelines? The regulations provide for increased data protection rights for individuals and increased obligations on both data controllers (the entity determining what data is collected and why) and data processors (the entity actually obtaining, recording, adapting or holding it on the controller’s behalf).
Central to the new law is the obligation for organisations and businesses to be completely transparent about how they are using and protecting personal data, and to be able to validate culpability for their data processing activities.
What constitutes ‘personal data’
For the purposes of GDPR, personal data is deemed to be any directly or indirectly identifying data that is unique to an individual. This applies to data that is collected over time or via an automated process. Personal data includes: Names, dates of birth, postal contact details, email addresses, phone numbers, photographs, social media contact, pseudonymised data, IP addresses, cookies or similar, trade union membership, religious or political beliefs.
To help you get your business prepared we’ve done the relevant research and consulted with the experts in data protection to provide you with a detailed GDPR compliance guide that is comprehensible and effective – of course, if in doubt, consult your legal adviser.
Create a team
Protecting individuals’ private data requires a company-wide commitment and it should include all your staff in an estate agency. Most teams in estate agencies are small to medium giving you a direct route to providing your staff with the information they need to be aware of regarding GDPR. Meet regularly and have clearly defined tasks with specific team members and due dates to deliver solutions and strategies to stay within the guidelines. Ensure colleagues know both the latest compliance practices and who to contact if they suspect data has been compromised. Integrate compliance education into training and plan yearly sessions for all employees.
Decide if you need a Data Protection Officer
Consider whether you need a Data Protection Officer (DPO) to be compliant with the GDPR requirements. For small estate agencies it may be best to consider hiring a third-party DPO to handle it considering time restrictions and lack of training in staff members. Remaining compliant within the guidelines is quite intricate and details must be adhered to. A third-party DPO will analyse every part of it and act accordingly however, finding one may prove difficult. According to a recent article in the Irish Independent DPO’s are in high demand but there are not nearly enough! More than 28,000 will be needed in Europe and U.S. and as many as 75,000 around the globe because of GDPR, the International Association of Privacy Professionals (IAPP) estimates.
Know your data
Once you have your team in place, it’s time to assess and understand the data your business manages. It isn’t as simple as managing customer data but also employee data must be considered too. Under the GDPR, individuals will have a stronger right to have their data removed where customer consent is the only defence for processing. A privacy notice will have to explain your legal basis when you answer a subject access request. Consider how much personal data you gather, and why? Withdraw any categories you don’t need.
One potential challenge is figuring out who has access to protected, personal data. When access is decided a business should consider how their company is securing that data, especially if it is transferred across countries.
Review how you seek agreement and consider, whether changes need to be made. Consent must be given freely, and your customer can not feel obligated to consenting. Consent must be provable, as the GDPR advises that organisations must be able to demonstrate or prove consent was given.
It is imperative you review all privacy notices and revise as the GDPR requires employers to clearly inform workforces of their rights as well as how they use employee data. Businesses must audit data collection practices and ensure the HR team is collecting essential personal information and has a process in place to delete personal data in accordance with retaining timetables.
Plan how to respond to data requests
Individuals have new rights under the GDPR, such as the right to data portability and the right to removal. You’ll want to create or update processes for managing personal data requests while considering in which situations data can be deleted upon request by individuals.
Response to a breach of security
In the event of a breach of security, the GDPR requires organisations to report the incident to the Data Protection Authority within 72 hours of becoming aware of the breach. It is vital you name the person responsible for investigating and containing the breach. They must also be reported to the individual affected and if a breach is not reported an organisation could potentially face a fine.
Finally, it’s all about consent
Do not ignore GDPR. Make it your business to find out everything now before it comes into effect for the sake of your business. The golden rule is ‘Consent’, your customer will have full control over the data they give you. This consent must be freely given and your customer must be able to withdraw it at any time.
Ignorance of the law is never an excuse and the penalties can be up to 4% of global turnover or €20 million.
Finally, if in doubt, don’t take any chances, contact the Office of the Data Protection Commissioner (ODPC) through their dedicated GDPR website.