The General Data Protection Regulation (GDPR) comes into effect from May 2018 across the EU – including the UK, Brexit or not – and will introduce significant changes to data protection law. Companies holding large numbers of client records, such as property agents and estate agents, will be particularly at risk of large fines for non-compliance.

Such fines will increase to the greater of €20 million and 4% of global turnover, significantly higher than the current maximum of £500,000. While the UK’s information commissioner has indicated that much lower fines should be anticipated, a serious breach could lead to a very serious fine.

A key focus of the new rules is on documentary processes designed to protect an individual's data. Basically, you should collect and process only the minimum amount of personal data needed to achieve your objectives and keep it only for as long as necessary. Three other points to note are:

  1. Obtaining consent just got harder: You must have a lawful basis to do anything with personal data, including sending out direct marketing e-mails, and the easiest way is obtaining consent from the data subject. Under the GDPR, this must be a positive opt-in; consent can't be assumed from silence or pre-ticked boxes and you can't bury deemed consent in a privacy policy.
     
  2. Definition of personal data: This has been expanded to cover not only names, addresses and telephone numbers, but also IP addresses and other online identifiers. So if you are providing a free wifi service and collecting users' IP addresses, this will be caught by the GDPR.
     
  3. Data processors are now liable: Previously, only data controllers – those who determine how data is collected – could be fined for breaches. Now, data processors are also on the hook, including for not maintaining records of the personal data they are processing. Therefore, if a property manager is given the contact details of every person working or living in a building, or has the record of every person's entry and exit in the building, they will be caught by the GDPR.

So what should businesses be doing now? In order to work out how to comply with the law, you need to have a clear view of: what data you are collecting; how you collect it; where you store it; why you hold it; what you do with it; how long you keep it; and how securely it is being kept. You can do that by speaking to relevant people within your organisation and gathering evidence, and by undertaking a review of the IT systems you are using to trace the data’s journey.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.