Legal disclaimer: these FAQs have not been prepared by a lawyer, and do not in any way constitute legal advice. They have been prepared as an introduction to the GDPR, to explain Homeflow’s current understanding of its implications on our business, our clients and our services.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new set of regulations introduced by the EU that will supersede the UK’s Data Protection Act 1998. It brings data protection legislation into line with new, previously unforeseen ways that data is now used, and aims to give people more say over what companies can do with their personal data. It also introduces potentially tougher fines for non-compliance and breaches.
When does it come into force?
The GDPR will apply to all businesses and organisations from 25th May 2018.
Who does the GDPR apply to?
Both “controllers” and “processors” of data must adhere to the GDPR. A data controller is the party who states how and why personal information is processed, while a processor is the party doing the actual processing of the data. With reference to Homeflow’s services, Homeflow is the data processor on behalf of its clients, who are the data controllers.
How does it differ from current data protection legislation?
After 25th May 2018, all personal data must be processed lawfully, transparently and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted. In the case with Homeflow and its clients, lawful processing usually includes cases where the individual has consented to their data being processed, for example to receive property alerts or to be contacted about a viewing, or where it is required to comply with a contract or legal obligation, for example holding information about a client.
Will Brexit affect our obligations under GDPR?
No. The GDPR will come into force in May 2018, while the UK is still a member of the EU, and will continue to be in force after Brexit.
What about the PECR?
The Privacy and Electronic Communication Regulations (PECR) does not exempt organisations from GDPR. It’s expected that the PECR will be brought in line with GDPR in due course. Estate agencies need to ensure they are compliant with GDPR by the 25 May deadline.
How do I get consent from individuals under the GDPR?
Consent must be an active, affirmative action taken by the individual, rather than the previously common passive acceptance of a pre-ticked check box. This is why many companies are implementing a double opt-in process to gain consent from individuals. The initial consent is confirmed by acceptance that is sent out in an email confirmation, which assures the data processor that the personal details were indeed provided by the data subject him/herself. The data processor must keep a record of how and when an individual gave consent, and that individual may withdraw consent at any time.
What is defined as personal data under the GDPR?
Anything that counted as personal data under the Data Protection Act 1998 also qualifies as personal data under the GDPR, but the definition is substantially expanded. For example, online identifiers like IP addresses now count as personal data, and pseudonymised personal data is subject to GDPR rules if it is possible to identify the data subjects to whom it relates.
Where are our servers located?
Our principal servers, where personal data is held and processed, are located in the UK. In addition, we back data up to secure servers with Amazon Web Services, located in the United States. Amazon is registered as part of the EU-US Privacy Shield Framework, so complies with the EU data protection requirement.
Does Homeflow have plans for managing a data breach?
Under the GDPR, any processor of personal data that suffers a breach needs to be able to inform both the data controller and the customers affected within 72 hours. Homeflow has systems and protocol in place for preventing and managing a data breach.
What is Homeflow doing to be GDPR compliant?
We have appointed a Data Protection Officer (DPO), and our efforts to comply with the new regulation involve both our technical team – who are making some changes to the core system so they are available to all our clients – as well as our central and marketing teams, to ensure that any changed approach is adopted appropriately throughout the business.
Among other things, we are focusing on making privacy the absolute default setting. We’ve completed a comprehensive audit that identified what personal information we store for our clients, what that data is used for, where it’s held, and how it’s accessed. Following that audit, there are two principal changes we’re making: forms on websites are becoming “double opt-in”, so for anyone to use personal information that has been collected via a form we will need to ensure that the individual has explicitly consented for the information to be used in that way; and secondly, we’re improving the way we can allow an individual to access any data we hold on them, including providing the ability for them to delete it if they so wish.
Homeflow is also preparing some standardised cookie policies and terms and conditions that clients will be able to use, that will comply with the new regulations.
What are Homeflow doing to make sure my website forms are GDPR compliant?
See how Homeflow are making website forms GDPR compliant.
Will you be ensuring consent is collected on all website forms, including Homeflow Valuation forms?
Do I have to do anything to get my website forms updated?
No – we’ll add these to all Homeflow websites unless you tell us you want a different consent process.
You will have to think about how you’d like to phrase your marketing consent statement. We’ll be sending an email out on this to all clients, with information on how to update this statement in your Homeflow Admin.
What happens when the customer submits a form on a Homeflow website?
It depends which boxes they’ve ticked and whether they’ve already opted in to receive marketing communications:
1. They’ve ticked the marketing consent statement box. This will trigger an email to them asking them to verify their email address. They have to click on the button in the email to ‘double opt-in’ – until this point, you can’t send them marketing emails.
2. They’ve ticked the account creation statement. They’ll receive an email with their username and password. They won’t receive this email with log in details if they haven’t ticked the box.
3. They haven’t ticked the marketing consent statement box. They’ll receive an email confirming the details of their enquiry, similar to the emails that are automatically sent today. There will be a button on the email encouraging them to opt-in to receive marketing emails.
4. If they’ve already double opted in (e.g. they’ve completed a form on the website before and ticked the marketing consent box and verified their email), we won’t ask them to verify their email again. They’ll just get an email confirming the details of their enquiry.
I don’t want to use a double opt-in process as it will reduce the size of my marketing email database.
We’re recommending and building a double opt-in process. If you want a different process, we can put this in place as long as it is GDPR compliant.
Do I need to get double opt-in consent from my existing marketing database?
No – if you have collected past customer information in a way that complies with the GDPR.
Yes – most agencies will not have collected data within the rules of the GDPR. You can either stop using your existing database, or run a double opt-in campaign.
We’ll be sending out some thoughts on how to do this as part of our email comms on GDPR.
What consent status will my contacts be given within my Homeflow database?
On May 25th, all existing contacts will be given a ‘Consent not asked’ status. You will need to encourage customers to double opt-in before sending marketing emails to them.
What if I want to offer different marketing consent options? I want to give customers the option of separately opting into my Property Market Newsletter, my Landlords Newsletter, my Tenants newsletter etc.
Different marketing consent options can be a great idea, so you can tailor your marketing communications to different audiences.
We’re opting not to put a large number of tick boxes on every website form – it’s messy and confusing. Instead we’re giving customers the ability to tailor their preferences at the stage of verifying their email address (double opt-in). Here’s a discussion of the options available to your agency.
How do customers opt out of marketing communications?
They can click on an Unsubscribe button at the bottom of any Homeflow email.
Or they can go directly to the contact preferences page on your website, provided they have their website account login details.
Or you can manually opt them out in your Admin.
Why aren’t we automatically setting up an website Account for all customers – and sending everyone a username and password?
Although we have done this in the past, the advice we have been given is that this isn’t compliant with GDPR and that customers need to actively opt in to receiving account login details.
What happens if a customer double opts in, then submits another form without ticking the double opt-in box a second time?
If a customer has double opted in, they remain opted in until they actively opt out.
If they submit a form without ticking the marketing opt-in box, this will not override their existing double opt-in.
Template policies will be sent before the end of April.
I’m writing my Cookies Policy and need a list of all the cookies on my website?
We’ll send out advice on the standard cookies that are on Homeflow sites to all clients.
Clients need to think about any additional third party cookies they may have added – e.g. Facebook ads, Google AdWords Remarketing, cookies relating to their marketing software
What about Homeflow People Exchange? Is this GDPR compliant?
We’re incorporating marketing consent statements within HFPE.
What about data requests from customers?
The GDPR gives customers 3 rights:
Right to Access: Your customers will have the right to confirm how Homeflow is processing their personal data
Data Portability: Your customers will have the right to transfer and update their own data.
Right to be Forgotten: Your customers will have the right to hard-delete their data on request, where it is no longer relevant.
We’ll send out a ‘How to’ guide on how to process each of these 3 requests before 25 May.
When will these changes be live on my website?
All changes will be in place before the 25 May deadline.
Are there penalties for non-compliance?
The penalties for a data breach under the GDPR are potentially much harsher than under the Data Protection Act. In theory, a penalty could be up to 20 million Euros, or 4% of your global annual turnover, whichever is higher. While this is only a theoretical number, it does indicate how important it is to make every effort to comply with the new regulation.
Where can I get further information?
These notes have been prepared to provide an introduction to the GDPR, and an overview of what Homeflow is doing to ensure its services comply with the new regulation. If you wish to find out more about how to prepare for the GDPR, there is further information on the Information Commissioner’s Office website.
Industry associations such as NAEA and ARLA are also able to provide briefings, training and updates.