GDPR & Reapit

The General Data Protection Regulation (EU) 2016/679 is a European privacy law proposed by the European Commission in 2012 and approved by the European Parliament and the Council of the EU in 2016. The GDPR replaced a prior European Union Privacy Directive (95/46/EC) which has been the basis of European data protection law since 1995.

In common with other Regulations, the GDPR is a binding and directly applicable act which must be followed in its entirety throughout the EU. Many of the provisions of the GDPR offer leeway for Member States to interpret and implement in line with applicable national law, e.g. gaps to be filled by national authorities and laws, such as the UK Data Protection Bill that is currently debated in parliament. The GDPR regulates, among other things, how individuals and organisations may obtain, use, share and erase personal data. It will have a significant impact on businesses around the world.

The GDPR became law from 25th May 2018. It affects:

(1) all organisations established in the EU that process personal data

(2) all organisations established anywhere in the world that process personal data of any EU resident.

Yes and no. The GDPR builds on the principles established by the 1995 Data Protection Directive (implemented via the UK Data Protection Act (DPA) 1998). It applies to the same type of information, but the definition of personal data is expanded. It relies on broadly the same legal principles, but introduces a new principle that requires more documentation, namely the accountability principle. With regard to data processing, the GDPR relies on the same legal justifications laid down under previous law, but the requirements for consent and legitimate interest are more stringent. The GDPR protects the same data subject rights, but it expands on them to include a few new ones.

However, the most significant change in relation to our relationship with clients are the new rules the GDPR introduced in relation to our contractual rights and obligations.

The GDPR covers all ‘personal data’ relating to identifiable living individuals. In relation to defining personal data, the main difference between the previous data protection legislation and the GDPR is that the latter is more prescriptive, including in the definition of ‘online identifiers’ – examples include an IP address of a person’s internet connection, cookie identifiers placed by websites, geo-location data and others.

The following list is not exhaustive, but serves to show the information that can be considered as personal data:

• name

• address

• financial information

• contact numbers and addresses

• physical identifiers (e.g. ID and photos).

The GDPR, like the previous legislation, also references ‘special categories of personal data’, relating to sensitive information such as religious beliefs, ethnic origin and political opinions, as well as genetic and biometric data. Although there are not many items of sensitive personal data an agent needs to process, it is entirely possible that sensitive information will be included on documents that an agent has to store or use, such as those relating to ID checks, so due care should be taken.

Lawfulness, fairness and transparency

Consent (recorded, revocable, purpose-specific, informed, freely given by a positive action)

Purpose limitation

Contractual (performing, negotiating or entering into)

Data minimisation

Legitimate Interest (e.g. reasonable and proportionate commercial interest)

Data accuracy

Legal Obligation (other legislation, such as health and safety, tax, criminal law, etc.)

Storage limitation

Vital Interests (e.g. health hazard)

Integrity and confidentiality

Public Task (e.g. administration of justice)

Accountability

In many cases, especially those relating to marketing activities, consent is used as the lawful basis for processing personal data. As you can see in the following sections of this document, with respect to the marketing consent options on the Reapit contact record, our solution is both robust and versatile to assist in your efforts to manage consent for your client records and associated personal data.

To satisfy the requirements of the GDPR, you should be prepared to make an informed decision about how you process personal data for data subjects for whom you have not obtained consent. However, before entering into any marketing campaigns for the purpose of satisfying these requirements (e.g. ‘consent renewal’ campaigns), you must ensure you are not infringing the direct marketing rules that currently apply to such processing under the PECR. We recommend that you seek your own legal advice on the lawful basis by which you process personal data for marketing purposes.

• For valid consent under the GDPR consult the ICO guidance: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/

• For valid consent under the PECR consult the ICO guidance: https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/

Last but not least, it should be noted that, from a data storage/retention perspective, it is likely that you will need to retain certain records for a period of time necessary to comply with certain requirements stemming from other legislation, such as those which cover financial, tax and insurance obligations. Your obligation to retain such records applies notwithstanding the relevant individual’s consent preferences.

1. Consent given

Open

2. Consent denied

Open

3. Consent not asked

Consent not asked is the default option given to any new contact added; meaning that marketing is not permitted for these contacts until Consent given is selected on their contact record.

Opt out of direct marketing - enabled

Asked to opt in/out - enabled

Consent denied

Opt out of direct marketing - enabled

Asked to opt in/out - disabled

Consent denied

Opt out of direct marketing - disabled

Asked to opt in/out - enabled

Consent given

Opt out of direct marketing - disabled

Asked to opt in/out - disabled

Consent not asked

1. Contact record Marketing Consent menu

• Click Marketing Consent and select View consent details

• Consent change history is displayed

2. Activity Feed showing changes to consent

After changing and saving marketing consent settings, details are shown in the Activity Feed

3. Contact journal

• Click the Journal button and select Miscellaneous
  Or double-click an entry in the Activity Feed, as shown in point 2 above

The option to subscribe, unsubscribe and opt out contacts from specific mailings and events is available These more granular level options can be used to manage consent for specific types of communication and other processing activities.

From the contact record:

• Click Categories & Mailings
  Mailing Subscriptions and Event Subscriptions sections show currently available mailings and events

• Hover over a subscribed mailing/event to view:

  • information relating to when the contact was subscribed to it and who actioned this

  • an Opt out link
    Any subscriptions where the contact has chosen to opt out can also be clearly identified

Power Reports can be used to generate a list of contacts according to their Marketing consent status

A predefined report can be downloaded from here: https://reapit.atlassian.net/wiki/spaces/RW/pages/1646657651 - see Compliance section, report titled Current vendor/landlord marketing consent option

The GDPR provides the following rights for individuals (data subject rights), many of which are already in effect under the Data Protection Act 1998:

1. The right to be informed

2. The right of access

3. The right to rectification

4. The right to erasure

5. The right to restrict processing

6. The right to data portability

7. The right to object to processing including profiling.

Amongst others, key changes to note under the GDPR are as follows:

• the data subject rights provided under the DPA are slightly expanded

• the applicable response timeframe is shortened by 10 days

• the permitted £10 data protection request fee is abolished

• the data controller must inform individuals of their rights.

Reapit software already has embedded functionality sufficient to process and fulfil some of these rights, for example allowing amendment and/or export of personal data within the database.

However, it should be noted that most of these data subject rights are not absolute and they are subject to a number of restrictions that have yet to be clarified by the ICO. Therefore you should carefully verify any data subject request, taking into account the latest guidance from the ICO before you respond to it.

Example: you receive a Subject Access Request from a previous tenant

Individual right: the right of access

Information on the personal data that you hold about an individual must be provided to them on request without delay and, at the latest, within one month (extendable by 2 more months) of receipt of their request once you have verified their identity and you are satisfied no exemptions apply. A copy of their contact record and related data should then be exported from the Reapit database.

1. The right of access and 2. The right to rectification

When a legitimate request has been received for data to be rectified, Reapit software has full ability to allow this to be carried out. Using Reapit's mobile solution, this can even be done out of hours and, when using Reapit's Online Self-Service Portals, individuals can see their data online and can easily make a request to amend their records.

In accordance with the current Data Protection Act, it has always been a requirement to allow individuals access to their personal data; however, the GDPR goes a little further and requires that personal data can be requested along with other supplementary information. In most circumstances you would not be able to charge an individual for the right to request this information!

The Reapit software has built-in reporting capability to export personal data held. As shown below, the Print option on a contact record automatically pulls together all the data held for a client, including their contact details, mailings you have subscribed them to and any employment details. This report can be printed and/or saved as a PDF file and sent to the client. Print options are also available in the applicant, property, tenancy and landlord journals - which again detail what is being held.

• On the contact record, click Print (top right)

3. The right to erasure (the so called 'right to be forgotten')

As we have always recognised the value of protecting contact information for the purposes of reporting and maintaining contact history, we have only ever offered our clients the ability to archive their contacts and associated roles. However, in order to provide full GDPR compliance functionality, we have developed and implemented the ability to remove personally identifiable information of a specific contact in the Reapit database, either singularly or in bulk.

In order to maintain referential integrity of the database, this is handled by anonymisation of some parts of a record and deletion of others. When a contact is erased, there are a number of validation checks performed before the deletion process is performed. Checks are made on the contact and its associated roles (applicant, vendor, landlord, tenant) to determine whether the contact can be erased.

To ensure that this powerful tool is used correctly, the ability to erase a contact is only given to authorised users within an organisation. When authorised, usually only a single contact record can be erased. A bulk erasure tool is also available, allowing multiple contacts to be erased - but again, the ability to use this tool is restricted to authorised users.

4. The right to restrict processing

As discussed in earlier sections, Reapit software provides the facility to restrict processing using the archive, inactivity and consent denial functions. The alert function can also be used alongside the aforementioned functions to advise other users when/why a record is in this state.

An alert, when set up on a contact record (as shown below), is displayed in the Activity Feed area on every role screen the contact has – for this example, the alert will also be shown on the applicant screen for the contact as an applicant.

From the contact record, Activity Feed panel (on right):

• Click and select Create contact alert

• Enter the alert text and click cross (top right)

• The alert is shown at the top of the Activity Feed section

5. The right to data portability

Whilst it is unlikely that an individual will request to port their data to another provider, Reapit software already has the facility to allow export of personal data into a machine readable format that can be used by another software system.

6. The right to object

Broadly, the right to object means that all contacts held on your database (i.e. Data Subjects) have the right to object to you processing their data. This will largely depend on what you have defined as your Lawful Bases for holding and processing data. If, in most cases, consent is being relied on for onward processing by third party software – the Marketing Consent functionality on a contact record can be used.

The Reapit software has always offered the logging of marketing preferences within the central contact record, along with options allowing users to be subscribed/unsubscribed and opted out from specific mailings and events. With the introduction of GDPR, the contact record has been further enhanced to make this even easier and, used alongside Power Reports, lists of contacts who have opted in/out can be easily obtained.

See earlier sections for information on the Marketing Consent options and associated sections on the Automatic logging of consent changes, Contact Mailing & Events Consent Options plus Power Reports for Marketing Consent Status and Mailing & Event Subscriptions

If you are relying on Legitimate Interests to process data, then this needs to be explicitly and clearly documented in an accessible location, such as your Privacy Policy. Usual functionality like making a contact record inactive or archiving (shown above) can be used for this.

7. Rights in relation to automated decision making and profiling

This right covers the provision within GDPR on:

• automated individual decision-making (making a decision solely by automated means without any human involvement); and

• profiling (automated processing of personal data to evaluate certain characteristics of an individual). Profiling can be part of an automated decision-making process.

Effectively this includes any processing that you undertake without human intervention. The Reapit software has a number of tools that allow data to be easily processed and does the heavy-lifting for you; however, there is always a human element to any process whereby an intervention can be made.

It is likely to become more relevant when data is exported and manipulated by an external Electronic Direct Mail provider, where decisions on Mailing journeys may be made by that software.

What you must do is ensure that the Data Subjects are aware of this type of processing via notifications of the like that are included within your Privacy Policy and that you are explicit on the lawful reason for doing so. There must be a way to interrupt that automation routine. You must also ensure that you have a lawful reason for doing this such as Contractual or Consent.

The type of automation within estate agency is likely to use a third party mailing provider, in which case Consent is most likely to be relied upon; this consent must be explicitly given.

For the purposes of data protection law, and in the context of Reapit software and our related products and services, we will typically act as a data processor on behalf of our clients, who will themselves typically act as data controllers. It is the Reapit client who collects personal data, enters it into their database and decides how to use it further. Reapit processes this data solely under the instructions of the users and in accordance with our Terms & Conditions as updated from time to time.

The GDPR introduced new responsibilities to data processors that are relevant to our relationship as detailed below. Reapit have either implemented the following requirements or are currently in the process of rolling these out:

• to have a written agreement in place with our clients and suppliers

• to ensure our employees with access to your data are subject to a duty of confidence

• to ensure the security of processing activities

• to notify you of any sub-processing relevant to your business

• to assist you in fulfilling your duties with respect to the exercise of your customers’ privacy rights

• to assist you in your obligations relating to security, data breaches and data protection impact assessments

• to assist you with inspections by the Information Commissioner's Office (ICO)

• to return to you all your data upon expiry of our contract should you request us to do so.

We have implemented the majority of the requirements listed above and those that are not finalised yet are in the final stages of completion.

As part of our ongoing commitment to assist clients in conforming to their obligations under data protection law, we have introduced new functionality and updated existing tools to provide a robust technological platform upon which GDPR compliance can be managed effectively. In particular, Reapit software will provide you with:

• assistance with data subject rights

• assistance with your legal basis for processing; Reapit software will include functionality to help you:

  • record obtaining of consent

  • granulate consent for different purposes

  • manage consent

  • record withdrawal of consent

  • report on the consent preferences of your database

• assistance with your accountability responsibility; the contact journal, when maintained properly, keeps track of all significant (personal data) processing activities in relation to a specific contact record that can be exported and delivered upon request.

The key functionality enhancements listed above are illustrated in the previous sections.

For more on the future of the controller-processor relationship, visit the ICO's guide:

Reapit will continue to review the product offering and features in light of customer requirements, while analysing what more can be done to help you be compliant

If you have any questions or feedback about the GDPR in relation to a specific use of our services, please don’t hesitate to get in touch with your Reapit Customer Success Manager (CSM)