Legal disclaimer: these FAQs have not been prepared by a lawyer, and do not in any way constitute legal advice. They have been prepared as an introduction to the GDPR, to explain Homeflow’s current understanding of its implications on our business, our clients and our services.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new set of regulations introduced by the EU that will supersede the UK’s Data Protection Act 1998. It brings data protection legislation into line with new, previously unforeseen ways that data is now used, and aims to give people more say over what companies can do with their personal data. It also introduces potentially tougher fines for non-compliance and breaches.
When does it come into force?
The GDPR will apply to all businesses and organisations from 25th May 2018.
Who does the GDPR apply to?
Both “controllers” and “processors” of data must adhere to the GDPR. A data controller is the party who states how and why personal information is processed, while a processor is the party doing the actual processing of the data. With reference to Homeflow’s services, Homeflow is the data processor on behalf of its clients, who are the data controllers.
How does it differ from current data protection legislation?
After 25th May 2018, all personal data must be processed lawfully, transparently and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted. In the case with Homeflow and its clients, lawful processing usually includes cases where the individual has consented to their data being processed, for example to receive property alerts or to be contacted about a viewing, or where it is required to comply with a contract or legal obligation, for example holding information about a client.
Will Brexit affect our obligations under GDPR?
No. The GDPR will come into force in May 2018, while the UK is still a member of the EU, and will continue to be in force after Brexit.
What about the PECR?
The Privacy and Electronic Communication Regulations (PECR) does not exempt organisations from GDPR. It’s expected that the PECR will be brought in line with GDPR in due course. Estate agencies need to ensure they are compliant with GDPR by the 25 May deadline.
How do I get consent from individuals under the GDPR?
Consent must be an active, affirmative action taken by the individual, rather than the previously common passive acceptance of a pre-ticked check box. This is why many companies are implementing a double opt-in process to gain consent from individuals. The initial consent is confirmed by acceptance that is sent out in an email confirmation, which assures the data processor that the personal details were indeed provided by the data subject him/herself. The data processor must keep a record of how and when an individual gave consent, and that individual may withdraw consent at any time.
What is defined as personal data under the GDPR?
Anything that counted as personal data under the Data Protection Act 1998 also qualifies as personal data under the GDPR, but the definition is substantially expanded. For example, online identifiers like IP addresses now count as personal data, and pseudonymised personal data is subject to GDPR rules if it is possible to identify the data subjects to whom it relates.
Where are our servers located?
Our principal servers, where personal data is held and processed, are located in the UK. In addition, we back data up to secure servers with Amazon Web Services, located in the United States. Amazon is registered as part of the EU-US Privacy Shield Framework, so complies with the EU data protection requirement.
I don’t want to use a double opt-in process as it will reduce the size of my marketing email database.
We’re recommending a double opt-in process. If you want a different process, we can put this in place as long as it is GDPR compliant.
Do I need to get double opt-in consent from my existing marketing database?
No – if you have collected past customer information in a way that complies with the GDPR.
Yes – most agencies will not have collected data within the rules of the GDPR. You can either stop using your existing database, or run a double opt-in campaign.
We’ll be sending out some thoughts on how to do this as part of our email comms on GDPR.
What consent status will my contacts be given within my Homeflow database?
On May 25th, all existing contacts will be given a ‘Consent not asked’ status. You will need to encourage customers to double opt-in before sending marketing emails to them.
What if I want to offer different marketing consent options? I want to give customers the option of separately opting into my Property Market Newsletter, my Landlords Newsletter, my Tenants newsletter etc.
Different marketing consent options can be a great idea, so you can tailor your marketing communications to different audiences.
How do customers opt out of marketing communications?
They can click on an Unsubscribe button at the bottom of any Homeflow email.
Or they can go directly to the contact preferences page on your website, provided they have their website account login details.
Or you can manually opt them out in your Admin.
Why aren’t we automatically setting up a website Account for all customers – and sending everyone a username and password?
Although we have done this in the past, the advice we have been given is that this isn’t compliant with GDPR and that customers need to actively opt in to receiving account login details.
What happens if a customer double opts in, then submits another form without ticking the double opt-in box a second time?
If a customer has double opted in, they remain opted in until they actively opt out.
If they submit a form without ticking the marketing opt-in box, this will not override their existing double opt-in.
I’m writing my Cookies Policy and need a list of all the cookies on my website?
We’ll send out advice on the standard cookies that are on Homeflow sites to all clients.
Clients need to think about any additional third party cookies they may have added – e.g. Facebook ads, Google AdWords Remarketing, cookies relating to their marketing software
What about data requests from customers?
The GDPR gives customers 3 rights:
Right to Access: Your customers will have the right to confirm how Homeflow is processing their personal data
Data Portability: Your customers will have the right to transfer and update their own data.
Right to be Forgotten: Your customers will have the right to hard-delete their data on request, where it is no longer relevant.
We’ll send out a ‘How to’ guide on how to process each of these 3 requests before 25 May.
When will these changes be live on my website?
All changes will be in place before the 25 May deadline.
Are there penalties for non-compliance?
The penalties for a data breach under the GDPR are potentially much harsher than under the Data Protection Act. In theory, a penalty could be up to 20 million Euros, or 4% of your global annual turnover, whichever is higher. While this is only a theoretical number, it does indicate how important it is to make every effort to comply with the new regulation.
Where can I get further information?
These notes have been prepared to provide an introduction to the GDPR. If you wish to find out more about how to prepare for the GDPR, there is further information on the Information Commissioner’s Office website.
Industry associations such as NAEA and ARLA are also able to provide briefings, training and updates.