By this time, you most likely have heard of GDPR, or General Data Protection Regulation. But if you’re like many others, you’re probably still unclear on what it is all about and how it impacts your business.
GDPR is a set of new Europe Privacy Laws that govern how private information is collected and used by a company’s data controllers, regardless of where the company is set up in the world. It aims to strengthen the data rights of EU residents and give them better control over the use and distribution of their personal information.
The law took effect on May 25, 2018 after it was approved by the EU parliament in 2016. It imposes hefty fines and stiff penalties to those found in violation.
If you have a business website, you may be violating GDPR regulations without knowing it. It’s high time to look into this new EU law and how it affects your real estate firm.
Is your business impacted by GDPR?
Your firm is directly impacted if:
- You market to the EU and other international buyers
- You sell properties in Europe
- You collect, use, and share EU residents’ personal information in any way
If you work with international clients, it’s imperative to make sure you’re GDPR- compliant.
Even if you do not traditionally work with international clients, it’s to your best interest to be GDPR-compliant so you don’t miss out on any opportunity.
There are other compelling reasons why you should consider complying with GDPR:
EU laws have a way of being adopted globally – a phenomenon known as the “Brussels effect.” In fact, shortly after the GDPR was implemented, the state of California passed a bill that closely mirrors the provisions of the GDPR.
It’s best to avoid potential violations and the legal hassle that comes with them. This is especially true if your website has an IDX feature or any form where users can enter their personal data. At this point, it’s not clear how the law may be applied to businesses outside the EU, but it’s safe to assume perceived violations will be closely investigated.
What data are protected by GDPR?
The GDPR’s definition of terms refers to “personal data” as “any information relating to an identified or identifiable natural person”. This information includes:
- Phone number
- Email address
- IP address
- Cookie identifiers
- Mental or psychological information
- Economic information
- Physiological and genetic information
How does GDPR work?
As detailed here, GDPR grants individuals the following rights:
The right to be informed.
You must explicitly state why you are collecting personal information, how the information will be used, how long you intend to keep the information, and if you intend to share it with any other individual or company.
The right of access.
Individuals have the right to know what data you have collected, including those shared to you by any other source. You must also disclose your sources and who you share the data with. The information should be provided in an easy-to-use format within one month of the request.
The right to rectification.
Individuals can correct inaccurate or incomplete data.
The right to erasure or “to be forgotten”.
You have to comply with an individual’s request to have their data deleted from your database, and provide proof that you did.
The right to restrict processing.
A client may allow you to store personal information but prohibit its processing.
The right to data portability.
Individuals may move or copy personal data from one source to another. If a client requests, you must provide the data you’ve collected and allow their use for the client’s purposes.
The right to object.
Individuals can refuse to have their data used for any purpose.
Rights in relation to automated decision making and profiling.
On various sections, the GDPR outlines the rules in using personal data for automated decision making and profiling. It also defines when automated decision making and profiling may be used.
What are the penalties for GDPR violations?
The potential fines for GDPR violations are quite significant – up to 20 million Euros or 4% of your company’s annual income, whichever is higher.
What do you need to do to comply with GDPR?
As a real estate professional, you have to watch how you handle and use client information.
Get explicit consent from the client to collect their data. The typical default consent tools, such as pre-checked boxes, or ticking their agreement to finely-printed “Terms and Conditions” may no longer be sufficient under GDPR rules.
Ensure you comply with clients’ requests to opt-out of your marketing campaigns or to completely remove their information from your database within the prescribed period
Be prepared to comply with clients’ requests to access and/or move their data within the prescribed period
Consult an expert
GDPR compliance involves demonstrating that your website has been designed for data protection. This could encompass a wide range of modifications, including redesigning your databases and limiting the number of people who can access your stored data.
You need to document your data security measures, as well as your procedure in handling any data breach. Your data processing must have lawful basis that complies with those listed here.
Agent Image can do a thorough review of your website and determine what needs to be done to help you achieve GDPR compliance. As the leading experts in website design and development, we keep ourselves abreast with new regulations that can affect our clients’ operations and profitability. To find out more about GDPR, send us a message here or call us at 1.800.979.5799.