This guide has been reviewed against our global client base and classed as relevant to the UK only
Please note that this guide is for informational purposes to help your understanding
It should not be relied on as legal advice
When the GDPR came into effect on 25th May 2018, it introduced a number of new requirements to protect the privacy of individuals, while enabling and facilitating the free-flow of personal data. On the build-up to that date, at Reapit, our priority was to prepare our business and our software solutions with the changes to data protection that the GDPR introduced and, now that the GDPR is live, we continue to enhance and refine our products to ensure compliance.
With the arrival of the GDPR, the need for a business to have a single repository for client data is evermore important; Reapit provides just that - a single view - one view of your customer across sales and lettings, property management and client accounts, desktop and mobile. A single platform means that all your GDPR sensitive data is stored securely in one place, making the possibilities of a data breach much less.
About this guide
This guide is intended to help our valued clients to work with the GDPR and to explain how we can help. In this document, you will find a brief overview of the GDPR, the legal bases for processing personal data that the GDPR permits and the individual rights that organisations should uphold. We then describe details of the various functions in the Reapit CRM product that you may use to process data fairly and lawfully and uphold individual rights. Our aim is not to discuss the entire Regulation, but to address the key points which are most relevant to our relationship with clients.
It is important to note that compliance with the GDPR is more about understanding and adapting business processes and documenting activities than it is about technical changes. That said, we are here to help technologically. As every business processes data in different ways, for different purposes, you should carry out your own assessment on how your business readies itself for this legislative change. There is plenty of information in the public domain about how to become compliant, but we would recommend that you only follow the official sources and seek your own legal counsel to determine how the GDPR applies to your company and how to ensure compliance with the rules it introduces.
Each country in the European Union has a Data Protection Authority responsible for data protection and the GDPR in the relevant territories. These Authorities have detailed and easy to understand guidance on how organisations should prepare.
For United Kingdom visit: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
For Republic of Ireland visit: http://gdprandyou.ie/organisations/
This guide contains sections on:
What is the GDPR?
The General Data Protection Regulation (EU) 2016/679 is a European privacy law proposed by the European Commission in 2012 and approved by the European Parliament and the Council of the EU in 2016. The GDPR replaced a prior European Union Privacy Directive (95/46/EC) which has been the basis of European data protection law since 1995. In common with other Regulations, the GDPR is a binding and directly applicable act which must be followed in its entirety throughout the EU. Many of the provisions of the GDPR offer leeway for Member States to interpret and implement in line with applicable national law, e.g. gaps to be filled by national authorities and laws, such as the UK Data Protection Bill that is currently debated in parliament. The GDPR regulates, among other things, how individuals and organisations may obtain, use, share and erase personal data. It will have a significant impact on businesses around the world. |
When did it come into effect & who does it affect?
The GDPR became law from 25th May 2018. It affects: (1) all organisations established in the EU that process personal data (2) all organisations established anywhere in the world that process personal data of any EU resident. |
Is it a new law?
Yes and no. The GDPR builds on the principles established by the 1995 Data Protection Directive (implemented via the UK Data Protection Act (DPA) 1998). It applies to the same type of information, but the definition of personal data is expanded. It relies on broadly the same legal principles, but introduces a new principle that requires more documentation, namely the accountability principle. With regard to data processing, the GDPR relies on the same legal justifications laid down under previous law, but the requirements for consent and legitimate interest are more stringent. The GDPR protects the same data subject rights, but it expands on them to include a few new ones. However, the most significant change in relation to our relationship with clients are the new rules the GDPR introduced in relation to our contractual rights and obligations. |
What information does the GDPR apply to?
The GDPR covers all ‘personal data’ relating to identifiable living individuals. In relation to defining personal data, the main difference between the previous data protection legislation and the GDPR is that the latter is more prescriptive, including in the definition of ‘online identifiers’ – examples include an IP address of a person’s internet connection, cookie identifiers placed by websites, geo-location data and others. The following list is not exhaustive, but serves to show the information that can be considered as personal data:
The GDPR, like the previous legislation, also references ‘special categories of personal data’, relating to sensitive information such as religious beliefs, ethnic origin and political opinions, as well as genetic and biometric data. Although there are not many items of sensitive personal data an agent needs to process, it is entirely possible that sensitive information will be included on documents that an agent has to store or use, such as those relating to ID checks, so due care should be taken. |
Can we process personal data without the individual's consent?
For processing of personal data to be lawful, each organisation must ensure that there is a lawful basis for that processing to commence and that the processing is done in accordance with the fairness principles. The GDPR makes reference to six lawful bases and to seven principles:
Fair processing principles | Lawful processing bases |
---|---|
Lawfulness, fairness and transparency | Consent (recorded, revocable, purpose-specific, informed, freely given by a positive action) |
Purpose limitation | Contractual (performing, negotiating or entering into) |
Data minimisation | Legitimate Interest (e.g. reasonable and proportionate commercial interest) |
Data accuracy | Legal Obligation (other legislation, such as health and safety, tax, criminal law, etc.) |
Storage limitation | Vital Interests (e.g. health hazard) |
Integrity and confidentiality | Public Task (e.g. administration of justice) |
Accountability |
Each time you process personal data, you should be able to reference at least one of these as your lawful basis for processing the data and you should be able to satisfy all of the principles. Businesses often use contract and legitimate interest as justification of the processing they do in relation their core day-to day activities and, in most (but not all) cases, consent in relation to their direct marketing activities. Note that a specific consent requirement for direct marketing specifically is not a new requirement of the GDPR, but an existing requirement under the UK Privacy and Electronic Communications (EC Directive) Regulation 2003 (PECR).
Example: processing an applicant’s name, address and phone number to book a viewing
Possible lawful basis for processing personal data: Contractual
As a viewing is an attempt to persuade an applicant to enter into a contract with your client, it is necessary to obtain the details of the applicant before a viewing in order to process them for contact relating to the viewing.
When would we really need consent?
In many cases, especially those relating to marketing activities, consent is used as the lawful basis for processing personal data. As you can see in the following sections of this document, with respect to the marketing consent options on the Reapit contact record, our solution is both robust and versatile to assist in your efforts to manage consent for your client records and associated personal data. To satisfy the requirements of the GDPR, you should be prepared to make an informed decision about how you process personal data for data subjects for whom you have not obtained consent. However, before entering into any marketing campaigns for the purpose of satisfying these requirements (e.g. ‘consent renewal’ campaigns), you must ensure you are not infringing the direct marketing rules that currently apply to such processing under the PECR. We recommend that you seek your own legal advice on the lawful basis by which you process personal data for marketing purposes.
Last but not least, it should be noted that, from a data storage/retention perspective, it is likely that you will need to retain certain records for a period of time necessary to comply with certain requirements stemming from other legislation, such as those which cover financial, tax and insurance obligations. Your obligation to retain such records applies notwithstanding the relevant individual’s consent preferences. |
How your Reapit CRM product can help you in respect of managing consent
Marketing consent options
Three consent options are available in the Marketing Consent menu on the contact record (available from version 12.86+). Selecting a Marketing Consent option and saving the contact record automatically adds an entry to the contact journal; see following section Automatic logging of consent status changes for more information.
1. Consent given |
2. Consent denied |
3. Consent not asked Consent not asked is the default option given to any new contact added; meaning that marketing is not permitted for these contacts until Consent given is selected on their contact record. |
Migrating your existing data (for version 12.85 & below)
For contacts currently in version 12.85 and below, the two existing tick-box settings on the contact record titled Opt out of direct marketing and Asked to opt in/out will be used to determine the equivalent consent in the new Marketing consent menu, where only a single option needs to be selected (as outlined above). This new menu is available from version 12.86+.
The two options pre-version 12.86 will be mapped to the single option in version 12.86+, as follows:
Contact consent options pre 12.86 | Equivalent consent option in 12.86+ |
---|---|
Opt out of direct marketing - enabled Asked to opt in/out - enabled | Consent denied |
Opt out of direct marketing - enabled Asked to opt in/out - disabled | Consent denied |
Opt out of direct marketing - disabled Asked to opt in/out - enabled | Consent given |
Opt out of direct marketing - disabled Asked to opt in/out - disabled | Consent not asked |
Reapit recommend that you establish a legal basis for marketing to contacts who do not have a Consent given flag after 25th May 2018
Automatic logging of consent changes
Changes to a contact’s marketing status are automatically logged in the following places
1. Contact record Marketing Consent menu
|
2. Activity Feed showing changes to consent After changing and saving marketing consent settings, details are shown in the Activity Feed |
3. Contact journal
|
Contact Mailing & Event consent options
The option to subscribe, unsubscribe and opt out contacts from specific mailings and events is available These more granular level options can be used to manage consent for specific types of communication and other processing activities. From the contact record:
Subscribe vs Opt Out
|
Power Reports for marketing consent status
Power Reports can be used to generate a list of contacts according to their Marketing consent status A predefined report can be downloaded from here: Power Reports library - see Compliance section, report titled Current vendor/landlord marketing consent option |
Individual Rights
The GDPR provides the following rights for individuals (data subject rights), many of which are already in effect under the Data Protection Act 1998:
Amongst others, key changes to note under the GDPR are as follows:
Reapit software already has embedded functionality sufficient to process and fulfil some of these rights, for example allowing amendment and/or export of personal data within the database. However, it should be noted that most of these data subject rights are not absolute and they are subject to a number of restrictions that have yet to be clarified by the ICO. Therefore you should carefully verify any data subject request, taking into account the latest guidance from the ICO before you respond to it. Example: you receive a Subject Access Request from a previous tenant Individual right: the right of access Information on the personal data that you hold about an individual must be provided to them on request without delay and, at the latest, within one month (extendable by 2 more months) of receipt of their request once you have verified their identity and you are satisfied no exemptions apply. A copy of their contact record and related data should then be exported from the Reapit database. See the following section for information on how Reapit software can help you be GDPR compliant |
How Reapit software can help you be GDPR-compliant in respect of Individual Rights
Features and functions in Reapit software can help you promptly respond to client requests pursuing their GDPR-expanded Individual Rights
The following list identifies how Reapit software can help you deliver to your clients in a GDPR-compliant manner
1. The right of access and 2. The right to rectificationWhen a legitimate request has been received for data to be rectified, Reapit software has full ability to allow this to be carried out. Using Reapit's mobile solution, this can even be done out of hours and, when using Reapit's Online Self-Service Portals, individuals can see their data online and can easily make a request to amend their records. In accordance with the current Data Protection Act, it has always been a requirement to allow individuals access to their personal data; however, the GDPR goes a little further and requires that personal data can be requested along with other supplementary information. In most circumstances you would not be able to charge an individual for the right to request this information! The Reapit software has built-in reporting capability to export personal data held. As shown below, the Print option on a contact record automatically pulls together all the data held for a client, including their contact details, mailings you have subscribed them to and any employment details. This report can be printed and/or saved as a PDF file and sent to the client. Print options are also available in the applicant, property, tenancy and landlord journals - which again detail what is being held.
Before passing any information on to an individual who requests it, Reapit recommend that the information is carefully verified to ensure that it does not include personal data relating to another individual; for example, reference may be made to another tenant or joint buyer. |
3. The right to erasure (the so called 'right to be forgotten')As we have always recognised the value of protecting contact information for the purposes of reporting and maintaining contact history, we have only ever offered our clients the ability to archive their contacts and associated roles. However, in order to provide full GDPR compliance functionality, we have developed and implemented the ability to remove personally identifiable information of a specific contact in the Reapit database, either singularly or in bulk. In order to maintain referential integrity of the database, this is handled by anonymisation of some parts of a record and deletion of others. When a contact is erased, there are a number of validation checks performed before the deletion process is performed. Checks are made on the contact and its associated roles (applicant, vendor, landlord, tenant) to determine whether the contact can be erased. To ensure that this powerful tool is used correctly, the ability to erase a contact is only given to authorised users within an organisation. When authorised, usually only a single contact record can be erased. A bulk erasure tool is also available, allowing multiple contacts to be erased - but again, the ability to use this tool is restricted to authorised users. |
4. The right to restrict processingAs discussed in earlier sections, Reapit software provides the facility to restrict processing using the archive, inactivity and consent denial functions. The alert function can also be used alongside the aforementioned functions to advise other users when/why a record is in this state. An alert, when set up on a contact record (as shown below), is displayed in the Activity Feed area on every role screen the contact has – for this example, the alert will also be shown on the applicant screen for the contact as an applicant. From the contact record, Activity Feed panel (on right):
|
5. The right to data portabilityWhilst it is unlikely that an individual will request to port their data to another provider, Reapit software already has the facility to allow export of personal data into a machine readable format that can be used by another software system. |
6. The right to objectBroadly, the right to object means that all contacts held on your database (i.e. Data Subjects) have the right to object to you processing their data. This will largely depend on what you have defined as your Lawful Bases for holding and processing data. If, in most cases, consent is being relied on for onward processing by third party software – the Marketing Consent functionality on a contact record can be used. The Reapit software has always offered the logging of marketing preferences within the central contact record, along with options allowing users to be subscribed/unsubscribed and opted out from specific mailings and events. With the introduction of GDPR, the contact record has been further enhanced to make this even easier and, used alongside Power Reports, lists of contacts who have opted in/out can be easily obtained. See earlier sections for information on the Marketing Consent options and associated sections on the Automatic logging of consent changes, Contact Mailing & Events Consent Options plus Power Reports for Marketing Consent Status and Mailing & Event Subscriptions If you are relying on Legitimate Interests to process data, then this needs to be explicitly and clearly documented in an accessible location, such as your Privacy Policy. Usual functionality like making a contact record inactive or archiving (shown above) can be used for this. For information on handling the full removal of data, see point 3 entitled Right to erasure |
7. Rights in relation to automated decision making and profilingThis right covers the provision within GDPR on:
Effectively this includes any processing that you undertake without human intervention. The Reapit software has a number of tools that allow data to be easily processed and does the heavy-lifting for you; however, there is always a human element to any process whereby an intervention can be made. It is likely to become more relevant when data is exported and manipulated by an external Electronic Direct Mail provider, where decisions on Mailing journeys may be made by that software. What you must do is ensure that the Data Subjects are aware of this type of processing via notifications of the like that are included within your Privacy Policy and that you are explicit on the lawful reason for doing so. There must be a way to interrupt that automation routine. You must also ensure that you have a lawful reason for doing this such as Contractual or Consent. The type of automation within estate agency is likely to use a third party mailing provider, in which case Consent is most likely to be relied upon; this consent must be explicitly given. |
What does the GDPR mean for Reapit and our clients?
For the purposes of data protection law, and in the context of Reapit software and our related products and services, we will typically act as a data processor on behalf of our clients, who will themselves typically act as data controllers. It is the Reapit client who collects personal data, enters it into their database and decides how to use it further. Reapit processes this data solely under the instructions of the users and in accordance with our Terms & Conditions as updated from time to time. The GDPR introduced new responsibilities to data processors that are relevant to our relationship as detailed below. Reapit have either implemented the following requirements or are currently in the process of rolling these out:
We have implemented the majority of the requirements listed above and those that are not finalised yet are in the final stages of completion. As part of our ongoing commitment to assist clients in conforming to their obligations under data protection law, we have introduced new functionality and updated existing tools to provide a robust technological platform upon which GDPR compliance can be managed effectively. In particular, Reapit software will provide you with:
The key functionality enhancements listed above are illustrated in the previous sections. For more on the future of the controller-processor relationship, visit the ICO's guide: |
What next?
Reapit will continue to review the product offering and features in light of customer requirements, while analysing what more can be done to help you be compliant If you have any questions or feedback about the GDPR in relation to a specific use of our services, please don’t hesitate to get in touch with your Reapit Customer Success Manager (CSM) |