This guide has been reviewed against our global client base and classed as relevant to the UK only
Please note that this guide is for informational purposes to help your understanding
It should not be relied on as legal advice
When the GDPR came into effect on 25th May 2018, it introduced a number of new requirements to protect the privacy of individuals, while enabling and facilitating the free-flow of personal data. On the build-up to that date, at Reapit, our priority was to prepare our business and our software solutions with the changes to data protection that the GDPR introduced and, now that the GDPR is live, we continue to enhance and refine our products to ensure compliance.
With the arrival of the GDPR, the need for a business to have a single repository for client data is evermore important; Reapit provides just that - a single view - one view of your customer across sales and lettings, property management and client accounts, desktop and mobile. A single platform means that all your GDPR sensitive data is stored securely in one place, making the possibilities of a data breach much less.
About this guide
This guide is intended to help our valued clients to work with the GDPR and to explain how we can help. In this document, you will find a brief overview of the GDPR, the legal bases for processing personal data that the GDPR permits and the individual rights that organisations should uphold. We then describe details of the various functions in AgencyCloud that you may use to process data fairly and lawfully and uphold individual rights. Our aim is not to discuss the entire Regulation, but to address the key points which are most relevant to our relationship with clients.
It is important to note that compliance with the GDPR is more about understanding and adapting business processes and documenting activities than it is about technical changes. That said, we are here to help technologically. As every business processes data in different ways, for different purposes, you should carry out your own assessment on how your business readies itself for this legislative change. There is plenty of information in the public domain about how to become compliant, but we would recommend that you only follow the official sources and seek your own legal counsel to determine how the GDPR applies to your company and how to ensure compliance with the rules it introduces.
Each country in the European Union has a Data Protection Authority responsible for data protection and the GDPR in the relevant territories. These Authorities have detailed and easy to understand guidance on how organisations should prepare.
- For United Kingdom visit: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
- For Republic of Ireland visit: http://gdprandyou.ie/organisations/
This guide contains sections on:
What is the GDPR?
The General Data Protection Regulation (EU) 2016/679 is a European privacy law proposed by the European Commission in 2012 and approved by the European Parliament and the Council of the EU in 2016. The GDPR replaced a prior European Union Privacy Directive (95/46/EC) which has been the basis of European data protection law since 1995.
In common with other Regulations, the GDPR is a binding and directly applicable act which must be followed in its entirety throughout the EU. Many of the provisions of the GDPR offer leeway for Member States to interpret and implement in line with applicable national law, e.g. gaps to be filled by national authorities and laws, such as the UK Data Protection Bill that is currently debated in parliament. The GDPR regulates, among other things, how individuals and organisations may obtain, use, share and erase personal data. It will have a significant impact on businesses around the world.
When did it come into effect & who does it affect?
The GDPR became law from 25th May 2018. It affects:
(1) all organisations established in the EU that process personal data
(2) all organisations established anywhere in the world that process personal data of any EU resident.
Is it a new law?
Yes and no. The GDPR builds on the principles established by the 1995 Data Protection Directive (implemented via the UK Data Protection Act (DPA) 1998). It applies to the same type of information, but the definition of personal data is expanded. It relies on broadly the same legal principles, but introduces a new principle that requires more documentation, namely the accountability principle. With regard to data processing, the GDPR relies on the same legal justifications laid down under previous law, but the requirements for consent and legitimate interest are more stringent. The GDPR protects the same data subject rights, but it expands on them to include a few new ones.
However, the most significant change in relation to our relationship with clients are the new rules the GDPR introduced in relation to our contractual rights and obligations.
What information does the GDPR apply to?
The GDPR covers all ‘personal data’ relating to identifiable living individuals. In relation to defining personal data, the main difference between the previous data protection legislation and the GDPR is that the latter is more prescriptive, including in the definition of ‘online identifiers’ – examples include an IP address of a person’s internet connection, cookie identifiers placed by websites, geo-location data and others.
The following list is not exhaustive, but serves to show the information that can be considered as personal data:
- name
- address
- financial information
- contact numbers and addresses
- physical identifiers (e.g. ID and photos).
The GDPR, like the previous legislation, also references ‘special categories of personal data’, relating to sensitive information such as religious beliefs, ethnic origin and political opinions, as well as genetic and biometric data. Although there are not many items of sensitive personal data an agent needs to process, it is entirely possible that sensitive information will be included on documents that an agent has to store or use, such as those relating to ID checks, so due care should be taken.
Can we process personal data without the individual's consent?
For processing of personal data to be lawful, each organisation must ensure that there is a lawful basis for that processing to commence and that the processing is done in accordance with the fairness principles. The GDPR makes reference to six lawful bases and to seven principles:
Fair processing principles | Lawful processing bases |
---|---|
Lawfulness, fairness and transparency | Consent (recorded, revocable, purpose-specific, informed, freely given by a positive action) |
Purpose limitation | Contractual (performing, negotiating or entering into) |
Data minimisation | Legitimate Interest (e.g. reasonable and proportionate commercial interest) |
Data accuracy | Legal Obligation (other legislation, such as health and safety, tax, criminal law, etc.) |
Storage limitation | Vital Interests (e.g. health hazard) |
Integrity and confidentiality | Public Task (e.g. administration of justice) |
Accountability |
Each time you process personal data, you should be able to reference at least one of these as your lawful basis for processing the data and you should be able to satisfy all of the principles. Businesses often use contract and legitimate interest as justification of the processing they do in relation their core day-to day activities and, in most (but not all) cases, consent in relation to their direct marketing activities. Note that a specific consent requirement for direct marketing specifically is not a new requirement of the GDPR, but an existing requirement under the UK Privacy and Electronic Communications (EC Directive) Regulation 2003 (PECR).
Example: processing an applicant’s name, address and phone number to book a viewing
Possible lawful basis for processing personal data: Contractual
As a viewing is an attempt to persuade an applicant to enter into a contract with your client, it is necessary to obtain the details of the applicant before a viewing in order to process them for contact relating to the viewing.
When would we really need consent?
In many cases, especially those relating to marketing activities, consent is used as the lawful basis for processing personal data. As you can see in the following sections of this document, with respect to the marketing consent options on the Reapit contact record, our solution is both robust and versatile to assist in your efforts to manage consent for your client records and associated personal data.
To satisfy the requirements of the GDPR, you should be prepared to make an informed decision about how you process personal data for data subjects for whom you have not obtained consent. However, before entering into any marketing campaigns for the purpose of satisfying these requirements (e.g. ‘consent renewal’ campaigns), you must ensure you are not infringing the direct marketing rules that currently apply to such processing under the PECR. We recommend that you seek your own legal advice on the lawful basis by which you process personal data for marketing purposes.
- For valid consent under the GDPR consult the ICO guidance: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/
- For valid consent under the PECR consult the ICO guidance: https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/
Last but not least, it should be noted that, from a data storage/retention perspective, it is likely that you will need to retain certain records for a period of time necessary to comply with certain requirements stemming from other legislation, such as those which cover financial, tax and insurance obligations. Your obligation to retain such records applies notwithstanding the relevant individual’s consent preferences.
Your Reapit software can help you in respect of managing consent
Marketing consent options
Three consent options are available in the Marketing Consent menu on the contact record (available from version 12.86+). Selecting a Marketing Consent option and saving the contact record automatically adds an entry to the contact journal; see following section Automatic logging of consent status changes for more information.
1. Consent given
2. Consent denied
3. Consent not asked
Consent not asked is the default option given to any new contact added; meaning that marketing is not permitted for these contacts until Consent given is selected on their contact record.
Migrating your existing data (for contacts in version 12.85 & below)
For contacts currently in version 12.85 and below, the two existing tick-box settings on the contact record titled Opt out of direct marketing and Asked to opt in/out will be used to determine the equivalent consent in the new Marketing consent menu, where only a single option needs to be selected (as outlined above). This new menu is available from version 12.86+.
The two options pre-version 12.86 will be mapped to the single option in version 12.86+, as follows:
Contact consent options pre 12.86 | Equivalent consent option in 12.86+ |
---|---|
Opt out of direct marketing - enabled Asked to opt in/out - enabled | Consent denied |
Opt out of direct marketing - enabled Asked to opt in/out - disabled | Consent denied |
Opt out of direct marketing - disabled Asked to opt in/out - enabled | Consent given |
Opt out of direct marketing - disabled Asked to opt in/out - disabled | Consent not asked |
Reapit recommend that you establish a legal basis for marketing to contacts who do not have a Consent given flag after 25th May 2018.
Automatic logging of consent changes
Changes to a contact’s marketing status are automatically logged in the following places:
1. Contact record Marketing Consent menu
- Click Marketing Consent and select View consent details
2. Activity Feed
- The Activity Feed section on the right automatically shows Marketing consent changes
3. Contact journal
- Click the Journal button and select Miscellaneous
(or double-click an entry in the Activity Feed, as shown in point 2 above) - Selecting an entry in the contact Journal displays further information at the bottom of the screen
Contact Mailing & Event consent options
The option to subscribe, unsubscribe and opt out contacts from specific mailings and events is available. These more granular level options can be used to manage consent for specific types of communication and other processing activities.
- From the contact record, click Categories & Mailings
- Mailing Subscriptions and Event Subscriptions sections show currently available mailings and events
- Hovering over a subscribed mailing/event displays information relating to when the contact was subscribed to it and who actioned this
- Hovering over any mailing/event displays an Opt out link beside it; any subscriptions where the contact has chosen to opt out can also be clearly identified
Subscribe vs Opt Out
- Box ticked: tick to subscribe the contact to the mailing/event
- Box unticked: tick to unsubscribe the contact from the mailing/event
- Opt out: use this option when the contact has requested to opt out of the mailing/event
Power Reports for marketing consent status
Power Reports can be used to generate a list of contacts according to their Marketing consent status
A predefined report can be downloaded from the Power Reports library - see Compliance section (report titled Current vendor/landlord marketing consent option)
Individual Rights
The GDPR provides the following rights for individuals (data subject rights), many of which are already in effect under the Data Protection Act 1998:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object to processing including profiling.
Amongst others, key changes to note under the GDPR are as follows:
- the data subject rights provided under the DPA are slightly expanded
- the applicable response timeframe is shortened by 10 days
- the permitted £10 data protection request fee is abolished
- the data controller must inform individuals of their rights.
Reapit software already has embedded functionality sufficient to process and fulfil some of these rights, for example allowing amendment and/or export of personal data within the database.
However, it should be noted that most of these data subject rights are not absolute and they are subject to a number of restrictions that have yet to be clarified by the ICO. Therefore you should carefully verify any data subject request, taking into account the latest guidance from the ICO before you respond to it.
Example: you receive a Subject Access Request from a previous tenant
Individual right: the right of access
Information on the personal data that you hold about an individual must be provided to them on request without delay and, at the latest, within one month (extendable by 2 more months) of receipt of their request once you have verified their identity and you are satisfied no exemptions apply. A copy of their contact record and related data should then be exported from the Reapit database.
See the following section for information on how Reapit software can help you be GDPR compliant
for each of the above Individual Rights.
How Reapit software can help you be GDPR-compliant in respect of Individual Rights
Features and functions in Reapit software can help you promptly respond to client requests pursuing their GDPR-expanded Individual Rights. The following list identifies how Reapit software can help you deliver to your clients in a GDPR-compliant manner.
1. The right of access and 2. The right to rectification
When a legitimate request has been received for data to be rectified, Reapit software has full ability to allow this to be carried out. Using Reapit's mobile solution, this can even be done out of hours and, when using Reapit's Online Self-Service Portals, individuals can see their data online and can easily make a request to amend their records.
In accordance with the current Data Protection Act, it has always been a requirement to allow individuals access to their personal data; however, the GDPR goes a little further and requires that personal data can be requested along with other supplementary information. In most circumstances you would not be able to charge an individual for the right to request this information!
The Reapit software has built-in reporting capability to export personal data held. As shown below, the Print option on a contact record automatically pulls together all the data held for a client, including their contact details, mailings you have subscribed them to and any employment details. This report can be printed and/or saved as a PDF file and sent to the client. Print options are also available in the applicant, property, tenancy and landlord journals - which again detail what is being held.
- On the contact record, click Print (top right)
Before passing any information on to an individual who requests it, Reapit recommend that the information is carefully verified to ensure that it does not include personal data relating to another individual; for example, reference may be made to another tenant or joint buyer.
3. The right to erasure (the so called 'right to be forgotten')
As we have always recognised the value of protecting contact information for the purposes of reporting and maintaining contact history, we have only ever offered our clients the ability to archive their contacts and associated roles. However, in order to provide full GDPR compliance functionality, we have developed and implemented the ability to remove personally identifiable information of a specific contact in the Reapit database, either singularly or in bulk.
In order to maintain referential integrity of the database, this is handled by anonymisation of some parts of a record and deletion of others. When a contact is erased, there are a number of validation checks performed before the deletion process is performed. Checks are made on the contact and its associated roles (applicant, vendor, landlord, tenant) to determine whether the contact can be erased.
To ensure that this powerful tool is used correctly, the ability to erase a contact is only given to authorised users within an organisation. As shown below, a single contact record can be erased; a bulk erasure tool is also available, allowing multiple contacts to be erased. Again, the ability to use this tool is restricted to authorised users.
4. The right to restrict processing
As discussed in earlier sections, Reapit software provides the facility to restrict processing using the archive, inactivity and consent denial functions. The alert function can also be used alongside the aforementioned functions to advise other users when/why a record is in this state.
An alert, when set up on a contact record (as shown below), is displayed in the Activity Feed area on every role screen the contact has – for this example, the alert will also be shown on the applicant screen for the contact as an applicant.
- From the contact record, Activity Feed section, click the +
- Select Create contact alert
- Enter the alert text and click Exit
- The alert is shown at the top of the Activity Feed section
5. The right to data portability
Whilst it is unlikely that an individual will request to port their data to another provider, Reapit software already has the facility to allow export of personal data into a machine readable format that can be used by another software system.
6. The right to object
Broadly, the right to object means that all contacts held on your database (i.e. Data Subjects) have the right to object to you processing their data. This will largely depend on what you have defined as your Lawful Bases for holding and processing data. If, in most cases, consent is being relied on for onward processing by third party software – the Marketing Consent functionality on a contact record can be used.
The Reapit software has always offered the logging of marketing preferences within the central contact record, along with options allowing users to be subscribed/unsubscribed and opted out from specific mailings and events. With the introduction of GDPR, the contact record has been further enhanced to make this even easier and, used alongside Power Reports, lists of contacts who have opted in/out can be easily obtained.
See earlier sections for information on the Marketing Consent options and associated sections on the Automatic logging of consent changes, Contact Mailing & Events Consent Options plus Power Reports for Marketing Consent Status and Mailing & Event Subscriptions.
If you are relying on Legitimate Interests to process data, then this needs to be explicitly and clearly documented in an accessible location, such as your Privacy Policy. Usual functionality like making a contact record inactive or archiving (shown above) can be used for this.
For information on handling the full removal of data, see point 3 entitled Right to erasure.
7. Rights in relation to automated decision making and profiling
This right covers the provision within GDPR on:
- automated individual decision-making (making a decision solely by automated means without any human involvement); and
- profiling (automated processing of personal data to evaluate certain characteristics of an individual). Profiling can be part of an automated decision-making process.
Effectively this includes any processing that you undertake without human intervention. The Reapit software has a number of tools that allow data to be easily processed and does the heavy-lifting for you; however, there is always a human element to any process whereby an intervention can be made.
It is likely to become more relevant when data is exported and manipulated by an external Electronic Direct Mail provider, where decisions on Mailing journeys may be made by that software.
What you must do is ensure that the Data Subjects are aware of this type of processing via notifications of the like that are included within your Privacy Policy and that you are explicit on the lawful reason for doing so. There must be a way to interrupt that automation routine. You must also ensure that you have a lawful reason for doing this such as Contractual or Consent.
The type of automation within estate agency is likely to use a third party mailing provider, in which case Consent is most likely to be relied upon; this consent must be explicitly given.
What does the GDPR mean for Reapit and our clients?
For the purposes of data protection law, and in the context of Reapit software and our related products and services, we will typically act as a data processor on behalf of our clients, who will themselves typically act as data controllers. It is the Reapit client who collects personal data, enters it into their database and decides how to use it further. Reapit processes this data solely under the instructions of the users and in accordance with our Terms & Conditions as updated from time to time.
The GDPR introduced new responsibilities to data processors that are relevant to our relationship as detailed below. Reapit have either implemented the following requirements or are currently in the process of rolling these out:
- to have a written agreement in place with our clients and suppliers
- to ensure our employees with access to your data are subject to a duty of confidence
- to ensure the security of processing activities
- to notify you of any sub-processing relevant to your business
- to assist you in fulfilling your duties with respect to the exercise of your customers’ privacy rights
- to assist you in your obligations relating to security, data breaches and data protection impact assessments
- to assist you with inspections by the Information Commissioner's Office (ICO)
- to return to you all your data upon expiry of our contract should you request us to do so.
We have implemented the majority of the requirements listed above and those that are not finalised yet are in the final stages of completion.
As part of our ongoing commitment to assist clients in conforming to their obligations under data protection law, we have introduced new functionality and updated existing tools to provide a robust technological platform upon which GDPR compliance can be managed effectively. In particular, Reapit software will provide you with:
- assistance with data subject rights
- assistance with your legal basis for processing; Reapit software will include functionality to help you:
- record obtaining of consent
- granulate consent for different purposes
- manage consent
- record withdrawal of consent
- report on the consent preferences of your database
- assistance with your accountability responsibility; the contact journal, when maintained properly, keeps track of all significant (personal data) processing activities in relation to a specific contact record that can be exported and delivered upon request.
The key functionality enhancements listed above are illustrated in the previous sections.
For more on the future of the controller-processor relationship, visit the ICO's guide:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/
What next?
We continue to review our product offering and features in light of customer requirements, while analysing what more we can do to help you be compliant.
If you have any questions or feedback about the GDPR in relation to a specific use of our services, please don’t hesitate to get in touch with your Reapit Customer Success Manager (CSM).
Related articles