GDPR & Reapit
This guide has been reviewed against our global client base and classed as relevant to the UK only
Please note that this guide is for informational purposes to help your understanding
It should not be relied on as legal advice
When the GDPR came into effect on 25th May 2018, it introduced a number of new requirements to protect the privacy of individuals, while enabling and facilitating the free-flow of personal data. On the build-up to that date, at Reapit, our priority was to prepare our business and our software solutions with the changes to data protection that the GDPR introduced and, now that the GDPR is live, we continue to enhance and refine our products to ensure compliance.
With the arrival of the GDPR, the need for a business to have a single repository for client data is evermore important; Reapit provides just that - a single view - one view of your customer across sales and lettings, property management and client accounts, desktop and mobile. A single platform means that all your GDPR sensitive data is stored securely in one place, making the possibilities of a data breach much less.
About this guide
This guide is intended to help our valued clients to work with the GDPR and to explain how we can help. In this document, you will find a brief overview of the GDPR, the legal bases for processing personal data that the GDPR permits and the individual rights that organisations should uphold. We then describe details of the various functions in the Reapit CRM product that you may use to process data fairly and lawfully and uphold individual rights. Our aim is not to discuss the entire Regulation, but to address the key points which are most relevant to our relationship with clients.
It is important to note that compliance with the GDPR is more about understanding and adapting business processes and documenting activities than it is about technical changes. That said, we are here to help technologically. As every business processes data in different ways, for different purposes, you should carry out your own assessment on how your business readies itself for this legislative change. There is plenty of information in the public domain about how to become compliant, but we would recommend that you only follow the official sources and seek your own legal counsel to determine how the GDPR applies to your company and how to ensure compliance with the rules it introduces.
Each country in the European Union has a Data Protection Authority responsible for data protection and the GDPR in the relevant territories. These Authorities have detailed and easy to understand guidance on how organisations should prepare.
For United Kingdom visit: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
For Republic of Ireland visit: http://gdprandyou.ie/organisations/
This guide contains sections on:
- 1 What is the GDPR?
- 2 When did it come into effect & who does it affect?
- 3 Is it a new law?
- 4 What information does the GDPR apply to?
- 5 Can we process personal data without the individual's consent?
- 6 When would we really need consent?
- 7 How your Reapit CRM product can help you in respect of managing consent
- 8 Individual Rights
- 9 How Reapit software can help you be GDPR-compliant in respect of Individual Rights
- 10 What does the GDPR mean for Reapit and our clients?
- 11 What next?
What is the GDPR?
The General Data Protection Regulation (EU) 2016/679 is a European privacy law proposed by the European Commission in 2012 and approved by the European Parliament and the Council of the EU in 2016. The GDPR replaced a prior European Union Privacy Directive (95/46/EC) which has been the basis of European data protection law since 1995. In common with other Regulations, the GDPR is a binding and directly applicable act which must be followed in its entirety throughout the EU. Many of the provisions of the GDPR offer leeway for Member States to interpret and implement in line with applicable national law, e.g. gaps to be filled by national authorities and laws, such as the UK Data Protection Bill that is currently debated in parliament. The GDPR regulates, among other things, how individuals and organisations may obtain, use, share and erase personal data. It will have a significant impact on businesses around the world. |
When did it come into effect & who does it affect?
The GDPR became law from 25th May 2018. It affects: (1) all organisations established in the EU that process personal data (2) all organisations established anywhere in the world that process personal data of any EU resident. |
Is it a new law?
Yes and no. The GDPR builds on the principles established by the 1995 Data Protection Directive (implemented via the UK Data Protection Act (DPA) 1998). It applies to the same type of information, but the definition of personal data is expanded. It relies on broadly the same legal principles, but introduces a new principle that requires more documentation, namely the accountability principle. With regard to data processing, the GDPR relies on the same legal justifications laid down under previous law, but the requirements for consent and legitimate interest are more stringent. The GDPR protects the same data subject rights, but it expands on them to include a few new ones. However, the most significant change in relation to our relationship with clients are the new rules the GDPR introduced in relation to our contractual rights and obligations. |
What information does the GDPR apply to?
The GDPR covers all ‘personal data’ relating to identifiable living individuals. In relation to defining personal data, the main difference between the previous data protection legislation and the GDPR is that the latter is more prescriptive, including in the definition of ‘online identifiers’ – examples include an IP address of a person’s internet connection, cookie identifiers placed by websites, geo-location data and others. The following list is not exhaustive, but serves to show the information that can be considered as personal data:
The GDPR, like the previous legislation, also references ‘special categories of personal data’, relating to sensitive information such as religious beliefs, ethnic origin and political opinions, as well as genetic and biometric data. Although there are not many items of sensitive personal data an agent needs to process, it is entirely possible that sensitive information will be included on documents that an agent has to store or use, such as those relating to ID checks, so due care should be taken. |
Can we process personal data without the individual's consent?
For processing of personal data to be lawful, each organisation must ensure that there is a lawful basis for that processing to commence and that the processing is done in accordance with the fairness principles. The GDPR makes reference to six lawful bases and to seven principles:
Fair processing principles | Lawful processing bases |
---|---|
Lawfulness, fairness and transparency | Consent (recorded, revocable, purpose-specific, informed, freely given by a positive action) |
Purpose limitation | Contractual (performing, negotiating or entering into) |
Data minimisation | Legitimate Interest (e.g. reasonable and proportionate commercial interest) |
Data accuracy | Legal Obligation (other legislation, such as health and safety, tax, criminal law, etc.) |
Storage limitation | Vital Interests (e.g. health hazard) |
Integrity and confidentiality | Public Task (e.g. administration of justice) |
Accountability |
Each time you process personal data, you should be able to reference at least one of these as your lawful basis for processing the data and you should be able to satisfy all of the principles. Businesses often use contract and legitimate interest as justification of the processing they do in relation their core day-to day activities and, in most (but not all) cases, consent in relation to their direct marketing activities. Note that a specific consent requirement for direct marketing specifically is not a new requirement of the GDPR, but an existing requirement under the UK Privacy and Electronic Communications (EC Directive) Regulation 2003 (PECR).
Example: processing an applicant’s name, address and phone number to book a viewing
Possible lawful basis for processing personal data: Contractual
As a viewing is an attempt to persuade an applicant to enter into a contract with your client, it is necessary to obtain the details of the applicant before a viewing in order to process them for contact relating to the viewing.
When would we really need consent?
In many cases, especially those relating to marketing activities, consent is used as the lawful basis for processing personal data. As you can see in the following sections of this document, with respect to the marketing consent options on the Reapit contact record, our solution is both robust and versatile to assist in your efforts to manage consent for your client records and associated personal data. To satisfy the requirements of the GDPR, you should be prepared to make an informed decision about how you process personal data for data subjects for whom you have not obtained consent. However, before entering into any marketing campaigns for the purpose of satisfying these requirements (e.g. ‘consent renewal’ campaigns), you must ensure you are not infringing the direct marketing rules that currently apply to such processing under the PECR. We recommend that you seek your own legal advice on the lawful basis by which you process personal data for marketing purposes.
Last but not least, it should be noted that, from a data storage/retention perspective, it is likely that you will need to retain certain records for a period of time necessary to comply with certain requirements stemming from other legislation, such as those which cover financial, tax and insurance obligations. Your obligation to retain such records applies notwithstanding the relevant individual’s consent preferences. |
How your Reapit CRM product can help you in respect of managing consent
Marketing consent options
Three consent options are available in the Marketing Consent menu on the contact record (available from version 12.86+). Selecting a Marketing Consent option and saving the contact record automatically adds an entry to the contact journal; see following section Automatic logging of consent status changes for more information.
1. Consent given |
2. Consent denied |
3. Consent not asked Consent not asked is the default option given to any new contact added; meaning that marketing is not permitted for these contacts until Consent given is selected on their contact record. |
Migrating your existing data (for version 12.85 & below)
For contacts currently in version 12.85 and below, the two existing tick-box settings on the contact record titled Opt out of direct marketing and Asked to opt in/out will be used to determine the equivalent consent in the new Marketing consent menu, where only a single option needs to be selected (as outlined above). This new menu is available from version 12.86+.
The two options pre-version 12.86 will be mapped to the single option in version 12.86+, as follows:
Contact consent options pre 12.86 | Equivalent consent option in 12.86+ |
---|---|
Opt out of direct marketing - enabled Asked to opt in/out - enabled | Consent denied |
Opt out of direct marketing - enabled Asked to opt in/out - disabled | Consent denied |
Opt out of direct marketing - disabled Asked to opt in/out - enabled | Consent given |
Opt out of direct marketing - disabled Asked to opt in/out - disabled | Consent not asked |
Reapit recommend that you establish a legal basis for marketing to contacts who do not have a Consent given flag after 25th May 2018
Automatic logging of consent changes
Changes to a contact’s marketing status are automatically logged in the following places
1. Contact record Marketing Consent menu
|
2. Activity Feed showing changes to consent After changing and saving marketing consent settings, details are shown in the Activity Feed |
3. Contact journal
|
Contact Mailing & Event consent options
The option to subscribe, unsubscribe and opt out contacts from specific mailings and events is available These more granular level options can be used to manage consent for specific types of communication and other processing activities. From the contact record:
|