General Data Protection Regulation (hereinafter GDPR) is one of the biggest changes to data security and privacy in Europe in decades. One has probably seen some of the effects of the GDPR in the United States in your own email. For example, companies you opted into long ago asking you to re-subscribe. This begs the question — should American businesses expect more far-reaching changes from the GDPR?
The answer is yes. American businesses are not exempt from the GDPR. If you collect data from any individual or corporate entity in the European Union, Article 3 of the GDPR states that your business is subject to GDPR requirements. The fines and penalties referred to in the GDPR apply to any business worldwide that is processing, storing or otherwise using personal information or data relating to an EU resident outside of GDPR compliance.
What This Means for Your Real Estate Business
Through the Internet, real estate has become a global business. The GDPR is especially relevant if you target foreign investors for properties as part of your daily business. The key word here is “target.” If you actively target European investors for properties in your area, think holiday homes, timeshares, rentals — then the GDPR does apply. If you collect personal identifiable information (PII) from any EU citizen via a property survey or market research activity, the GDPR also applies.
How To Avoid an Infringement
The primary aim of the GDPR is to provide citizens and residents of the EU with a greater level of control over their data and personal information. The GDPR also helps to ensure EU residents a greater degree of security and protection regardless of who they share information with. For example, an EU resident now has the right to demand data erasure from any business at any time, regardless of any previous arrangement or opt-in. A company out of compliance potentially faces millions of dollars in fines and penalties per infraction. That company may also be barred from doing business within the EU.
This is what you need to do to comply:
- Review your data collection and storage processes
GDPR has led millions of businesses worldwide to review their current data management processes. This is a positive action for any business to take, regardless of how the GDPR is likely to impact your business. Look at what data you collect via your website, or by phone or email, The GDPR defines personal data as including a name, photo, contact details, bank details, address, social media information, or IP address. Consider what data you actually need, what you will do with it and how you will store it and eventually dispose of it.
- Ask for consent
In the past, you may have created a special report, posted a form on your website that asked for email address, and then added those email addresses to your mailing list. If you are targeting EU residents, GDPR now requires you to expressly ask for consent to be contacted further. Instead of an opt-out culture of mailing list management, GDPR requires consent to opt-in.
This means that your website forms need to have anyone who completes a form agree to your data collection and usage policies, and to be contacted in the future.
- Allow users to see or delete the data you have about them
This is why having good systems for data management is essential. Being able to find a user’s data if they request changes or deletions is an important component of the GDPR. You need to be prepared to delete that data at any time should a European resident or citizen request you to do so.
Proving that a user actually gave consent to be contacted in the future may also be necessary if a claim is made against you. Once you add the new opt-in consent to each of your website forms, you might want to keep all names that complete that new consent in a separate file.
- Review your terms of use on your website and digital activities
If you intend to target European investors, you must have a written Terms of Service (or Terms of Use or privacy policy) on your website. Terms of Use must be easily accessible to users, and users must agree to your Terms of Use as a requirement of completing every form on your website (whether a form requests a content download, or a form is merely a “Contact Us” form). If you gather contact information by phone from European investors, it’s suggested that you follow up your phone call with an email requesting their consent to include them in your promotional emails.
- Report any GDPR data breaches within 72 hours
If a data breach occurs, you must inform the user within 72 hours according to the GDPR. Failure to do so can result in steep penalties.
Penalties
Failure to comply with the GDPR means tough penalties regardless of where your business is located. Fines of up to 2% of global annual revenue or 20 million Euro (whichever is greatest) are possible. It is unclear how these penalties will be enforced outside of the EU, but they will be enforced. Can you afford to fall behind in the global marketplace? Don’t take the chance.
Protecting Yourself
While the GDPR will (currently) only affect you directly if you’re targeting European clients, it’s a timely reminder to all businesses about how we handle people’s personal data. Check your real estate errors and omissions insurance to ensure you’re protected in the case of a data breach or claim relating to the mismanagement of data or negligence.
CRES Insurance has specialized in protecting real estate brokers and agents for more than 20 years. We can help you find the best solution for your business. Contact the CRES team at 800.880.2747 to have a confidential discussion today.
