GDPR – Are you compliant? A 10 point checklist for Letting Agents - Maras
The General Data Protection Regulation (GDPR) came into force at the end of last month – but some agencies are still getting to grips with the new rules, and what they mean for day-to-day business.
post-template-default,single,single-post,postid-17568,single-format-standard,qode-listing-1.0.1,qode-social-login-1.0,qode-news-1.0,qode-quick-links-1.0,qode-restaurant-1.0,ajax_fade,page_not_loaded,,qode-title-hidden,qode_grid_1300,footer_responsive_adv,hide_top_bar_on_mobile_header,qode-theme-ver-12.1,qode-theme-bridge,bridge,wpb-js-composer js-comp-ver-5.4.2,vc_responsive

GDPR – Are you compliant? A 10 point checklist for Letting Agents

The General Data Protection Regulation (GDPR) came into force at the end of last month – but some agencies are still getting to grips with the new rules, and what they mean for day-to-day business.


While the Information Commissioner’s Office is likely to be both supportive and lenient with businesses as the regulations bed-in, bigger firms could be charged up to 20 million euros for serious data breaches.


Take a look at our check list here, and see if you’ve covered all your bases.


1) Have you completed your audit?


While your main contact database might have been the obvious thing to bring into line with GDPR, it’s worth checking to make sure other contact lists haven’t been missed, including on local devices and drives – like individual laptops.


Often it can be archived information from one-off mailings, events or other listings. Don’t get caught out, and don’t be afraid to delete. This should become an automated process where possible, and you need to make sure information is also deleted from back-up drives, cloud hosts, and any suppliers.


2) Have you updated your IT systems?


All devices used by agency staff must be password protected, with a system in place to change passwords on a regular basis and ensure their security.


If your website involves forms or any other sort of personally identifiable data, it must have an SSL certificate (https).


Data now needs to be depersonalised with a unique identifying reference, so for instance separating out how much a rent is owed from the customer’s name so they can’t be instantly identified from a single record.


You will also need to be able to transfer data – for instance to a rival agency – if your customer requests it. Using professional software is usually the best way to ensure this process is easy and secure, so if you haven’t invested in a CRM system, it might well be worth doing so.


Likewise, you need to check your data storage systems. Using local physical servers is not as safe as using an externally hosted or cloud based, professional system.


Finally, if you’ve got free wi-fi in your office for customers and clients, it needs to be on a separate network to your office systems. You also need to update your online privacy and cookie policies.


3) Have you gone beyond digital?


It would be nice to think that all letting agents have gone all online, but practically that’s not how most agencies work. Don’t get so caught up in the electronic world you forget about the physical one.


You need to make sure your filing cabinets have been spring cleaned, and any old or irrelevant information is appropriately destroyed. Hard copy information should locked away securely at the end of each day, and your premises needs to be secure too. It’s worth checking the locks and alarms at all of your branches.


4) Are you talking to customers about their data on an ongoing basis?


GDPR didn’t begin or end on 25 May. It’s imperative you make sure you’re getting explicit permission for everything you want to use a customer’s data for.


Customers need to be able to opt in at every stage – so ask, ask and ask again.


5) Are your suppliers GDPR aware and compliant?


Letting agents work with numerous suppliers, from solicitors to maintenance firms, referencing and insurance companies to cleaners, painters and decorators. Under GDPR, the interfaces and connections to your suppliers should be firewall and password protected. Ask about their data security policies – because not knowing is not a good enough excuse. If you haven’t got contracts in place which specify how data is collected and stored, you need to create them now.


6) Is GDPR now part of your business planning?


Every single process in you agency, old and new, needs to have GDPR built in. Think through your processes from beginning to end – from when you first meet a potential tenant or landlord through to the first forms they fill in – if they’re scanned, where hard and electronic copies are filed, how long they’re kept, if they’re added to a database – and whether that database in online or locally stored.


Start building GDPR into all of your systems by default.


7) Have you changed your marketing strategy?


Marketing also comes under the scope of GDPR, and it’s going to change how you approach new prospects and cross-sell products to existing ones.


Customers will need to choose to opt in for different services, and their authorization needs to be recorded and stored. The key is about asking for permission, and making it easy to opt out of all forms of marketing.


8) Have you got a breach plan in place?


It’s not enough to just try and make sure you’re compliant – you need to have a plan in place in case there is a breach of data, so you know exactly what you’re going to how and how.


Any data breach involving the loss of customer details has to be reported to both officials and to the customers involved within 72 hours , Get your processes in place so you’re monitoring firewalls, spam filters and connections. Write a procedure detailing the steps you’ll take if you find a breach, and even go as far as to write those template emails. Hopefully you won’t have to use them.


9) Are all your staff GDPR trained?


One designated person in your organisation dealing with GDPR is simply not enough. It just takes one member of staff to save something on a USB stick to take to a conference, and you’re in breach. GDPR is the responsibility of everyone in your agency – and that really needs to be led from the top.


If you haven’t yet invested in training for your staff, take a look at the ARLA website for some options – including their ‘late to the GDPR party’ course.


10) Are you GDPR positive?


With the tenant fee ban looming, and other market pressures, it can be hard not feel somewhat under siege. But in essence, GDPR is about great customer service, and it’s that service that is going to set your agency apart in an increasingly competitive market. It’s an opportunity to get your data in order, streamline and standardize your property and tenant management processes, make your marketing more targeted and more effective, and your business more efficient.