Fears about new personal data laws allayed – but action is urged now
Guests at ARLA Propertymark’s annual conference heard the scare stories – and had myths dispelled – when speakers discussed the EU rules on personal data which come into force next month.
The General Data Protection Regulation (GDPR) is a regulation in EU law which aims to ‘give control back’ to citizens of their personal data.
It comes into force from May 25, and affects all companies processing the data of EU residents.
Penalties of up to 4 per cent of worldwide turnover or €20 million, whichever is higher, are threatened for non-compliance.
The GDPR also brings a new set of “digital rights” for EU citizens in an age when the economic value of personal data in the digital economy has increased – and has become highly publicised with Facebook data scandal hitting media headlines.
Fears that companies will be savagely fined have been stoked by suppliers seeking to win business to make them ‘GDPR compliant’, members heard at the ARLA conference.
The Information Commissioner – the Government body responsible for implementation of GDPR in Britain – has plenty of powers at its disposal already, but usually focuses help and guidance rather than sanctions.
Only those who have ignored advice and warnings usually end up being fined and, in the commissioner’s own words…
The Information Commissioner said: “It’s scaremongering to suggest that we (the ICO) will be making early examples of organisations for minor infringements or that maximum fines will become the norm.”
ARLA says the new rules will fundamentally change how businesses handle personal data and advised agents and property professionals to put a plan in place before the new legislation takes effect.
Research in February found that nine in ten businesses and charities have not even begun to prepare, and only 38 per cent of UK companies have even heard of GDPR.
The regulations call for fundamental changes on how companies collect, process, and store personal data, with much more stringent rules around use of data – along with heftier fines for breaches.
ARLA says companies should consider appointing a Data Protection Officer to be responsible for internal record keeping.
If you have over 250 employees, a Data Protection Officer then this will be a legal requirement; if your agency is not that big, it is still sensible to have someone look after GDPR compliance.
Other key features of GDPR include:
- You must also have a valid lawful basis in order to process personal data.
- Long illegible terms and conditions full of jargon will be banned – and customers will have the right to request confirmation as to whether or not personal data concerning them is being processed and for what purpose.
- When requested, companies are required to provide a copy of the personal data, free of charge, in an electronic format.
- Customers have the right to request their data be removed and further distribution ceased in specific circumstances (e.g. where the individual withdraws consent).
- The collection of online identifiers such as IP address, cookies and tags also fall under the remit of ‘personal data’.
- The use of external marketing agencies will require you to have an official written contract to ensure they are fully compliant with the new law.
- Notifiable data breaches need to be reported to a data protection authority and the people affected within 72 hours, where feasible – or risk penalties.
- Companies are advised to document their processes involving personal data in the first instance; only once this has been done can processes become compliant.
ARLA’s overarching advice for agents is to prepare to change processes and procedures with training and support to ensure everyone in your team knows what to do.
With that in mind, ARLA is offering a half-day introduction course for property agents on how to implement an effective GDPR compliant regime, and offers practical advice on business processes.
Data protection professionals will be on hand to offer expert advice and help companies get up to speed regardless of which stage of implementation they’re at. ARLA members can access a handy fact sheet and call a free legal helpline.
The ICO has also created a self-assessment toolkit to help evaluate a company’s level of compliance with the new regulations, and pinpoint which areas of a business need to be developed in order to be ready for GDPR.
For more information, take a look at the GDPR Myth-Buster blogs on the ICO website: https://iconewsblog.org.uk/