Legal disclaimer: these FAQs have not been prepared by a lawyer, and do not in any way constitute legal advice. They have been prepared as an introduction to the GDPR, to explain Homeflow’s current understanding of its implications on our business, our clients and our services.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new set of regulations introduced by the EU that will supersede the UK’s Data Protection Act 1998. It brings data protection legislation into line with new, previously unforeseen ways that data is now used, and aims to give people more say over what companies can do with their personal data. It also introduces potentially tougher fines for non-compliance and breaches.
When does it come into force?
The GDPR will apply to all businesses and organisations from 25th May 2018.
Who does the GDPR apply to?
Both “controllers” and “processors” of data must adhere to the GDPR. A data controller is the party who states how and why personal information is processed, while a processor is the party doing the actual processing of the data. With reference to Homeflow’s services, Homeflow is the data processor on behalf of its clients, who are the data controllers.
How does it differ from current data protection legislation?
After 25th May 2018, all personal data must be processed lawfully, transparently and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted. In the case with Homeflow and its clients, lawful processing usually includes cases where the individual has consented to their data being processed, for example to receive property alerts or to be contacted about a viewing, or where it is required to comply with a contract or legal obligation, for example holding information about a client.
Will Brexit affect our obligations under GDPR?
No. The GDPR will come into force in May 2018, while the UK is still a member of the EU, and will continue to be in force after Brexit.
What about the PECR?
The Privacy and Electronic Communication Regulations (PECR) does not exempt organisations from GDPR. It’s expected that the PECR will be brought in line with GDPR in due course. Estate agencies need to ensure they are compliant with GDPR by the 25 May deadline.
How do I get consent from individuals under the GDPR?
Consent must be an active, affirmative action taken by the individual, rather than the previously common passive acceptance of a pre-ticked check box. This is why many companies are implementing a double opt-in process to gain consent from individuals. The initial consent is confirmed by acceptance that is sent out in an email confirmation, which assures the data processor that the personal details were indeed provided by the data subject him/herself. The data processor must keep a record of how and when an individual gave consent, and that individual may withdraw consent at any time.
What is defined as personal data under the GDPR?
Anything that counted as personal data under the Data Protection Act 1998 also qualifies as personal data under the GDPR, but the definition is substantially expanded. For example, online identifiers like IP addresses now count as personal data, and pseudonymised personal data is subject to GDPR rules if it is possible to identify the data subjects to whom it relates.
Where are our servers located?
Our principal servers, where personal data is held and processed, are located in the UK. In addition, we back data up to secure servers with Amazon Web Services, located in the United States. Amazon is registered as part of the EU-US Privacy Shield Framework, so complies with the EU data protection requirement.
Does Homeflow have plans for managing a data breach?
Under the GDPR, any processor of personal data that suffers a breach needs to be able to inform both the data controller and the customers affected within 72 hours. Homeflow has systems and protocol in place for preventing and managing a data breach.
What is Homeflow doing to be GDPR compliant?
We have appointed a Data Protection Officer (DPO), and our efforts to comply with the new regulation involve both our technical team – who are making some changes to the core system so they are available to all our clients – as well as our central and marketing teams, to ensure that any changed approach is adopted appropriately throughout the business.
Among other things, we are focusing on making privacy the absolute default setting. We’ve completed a comprehensive audit that identified what personal information we store for our clients, what that data is used for, where it’s held, and how it’s accessed. Following that audit, there are two principal changes we’re making: forms on websites are becoming “double opt-in”, so for anyone to use personal information that has been collected via a form we will need to ensure that the individual has explicitly consented for the information to be used in that way; and secondly, we’re improving the way we can allow an individual to access any data we hold on them, including providing the ability for them to delete it if they so wish.
Homeflow is also preparing some standardised cookie policies and terms and conditions that clients will be able to use, that will comply with the new regulations.
Are there penalties for non-compliance?
The penalties for a data breach under the GDPR are potentially much harsher than under the Data Protection Act. In theory, a penalty could be up to 20 million Euros, or 4% of your global annual turnover, whichever is higher. While this is only a theoretical number, it does indicate how important it is to make every effort to comply with the new regulation.
Where can I get further information?
These notes have been prepared to provide an introduction to the GDPR, and an overview of what Homeflow is doing to ensure its services comply with the new regulation. If you wish to find out more about how to prepare for the GDPR, there is further information on the Information Commissioner’s Office website.
Industry associations such as NAEA and ARLA are also able to provide briefings, training and updates.