4 March 2018 |
The General Data Protection Regulations (GDPR) becomes law on 25 May 2018 and will tighten responsibilities on all businesses in regard to their management and use of the data they hold. In an industry where contacts are everything, it is vital that businesses know what the policy is going to mean for them and importantly ensure that they are fully compliant when the legislation takes effect. With this in mind, here is a short guide to the essentials everyone should be looking out for. Businesses will hold information on both current and historic clients across a range of electronic devices including PCs, mobile phones and CRM systems. And then there are the paper records and address books which may be archived, but still in existence. One of the key requirements under GDPR is knowing what data a company has and where it is held. Under the legislation consumers have the right to access or even delete their records, which means that carrying out an audit of existing data is a necessary first step on the road to compliance. In addition, businesses will need to put in place processes for dealing with consumer requests, as well as making sure that existing privacy policies are up-to-date. One of the guiding principles of GDPR is that data should only be held for the purpose it was provided for and for no greater a length of time than necessary to fulfil that purpose. Other rulings central to compliance include the principle of opting in. Under GDPR consumers will be asked to opt in when providing their data, which means that businesses will no longer be able to rely on customers choosing to opt out. There are of course many existing precedents for holding data, such as those surrounding anti-money laundering compliance, which businesses will be familiar with and able to draw upon. The ‘legitimate interest’ provision in the regulation will apply in many instances, enabling professionals to retain and use data lawfully. However, the ability to gain express client consent will be non-negotiable. The new rules raise the requirements for security of data. While reputable professionals will already meet these, there will be an obligation to report any breaches of data with significant potential fines for non-compliance. There will be various knock-on implications such as the passing of personal data to third parties. It would be prudent to talk to suppliers, ensure their processes are robust, and at the same time build required standards into service level agreements and staff contracts of employment or terms of business. While there is currently a lot of noise surrounding GDPR the reality is most businesses will be able to cope with the changes internally. However, GDPR cannot be ignored and leaving plans to the last minute could result in an inability to legally use data, leaving businesses open to falling short of requirements. Stay informed on the latest analysis and issues impacting the London property sector - sign up here.Sign up to our newsletter
Sign up to the Lonres newsletter