Property finance and GDPR: what do I need to know?

A silent revolution is sweeping across the property industry. On May 25th, the European Union’s new General Data Protection Regulation, or GDPR, comes into force, triggering a tidal change in the way we collect data. Although similar in some ways to the previous UK Data Protection Act, GDPR is far more stringent. It brings the law into the 21st century and essentially gives back to British and European residents the power to decide how their personal information should be collected, treated and, where appropriate, rectified and deleted.

The implications for this are widespread and affect almost every industry. But how exactly might this impact the property industry? Here, we’ll take a look at the upcoming changes, and how they might affect your property business.

What is GDPR?

The key principles behind GDPR are accountability, transparency, appropriateness, security, and explicit consent.

Under the new rules, there are six reasons to process data lawfully: people allow you to do so (consent); you need the information to enter a contract; you need it to comply with the law (legal obligation); the data is clearly required for public interest (public task); or there is either a vital interest (e.g. protecting a life) or a legitimate interest (e.g. cyber security) at stake.  

When consent is your legal basis to collect data, you’ll now need a ‘positive opt-in’. This means that consumers must actively choose to let you gather their data, rather than using a pre-populated field or a pre-ticked box. Requests must also be clear and specific: ‘blanket’ consent is no longer acceptable. Instead, you need to tell consumers why you’re collecting their personal information — which should always be limited to what is strictly necessary for the purpose at hand — how long you’ll keep it for, and whether you’ll share it with other organisations (and if so, with whom). An important side note is that IP addresses also fall under personal data now, so if you provide free Wi-Fi in a property or at your offices, that’s another consideration to bear in mind.

Information must be handled and stored securely at all times and, should there ever be a breach, you now have a duty to report it no later than 72 hours after becoming aware of it. Consumers also have the right to find out who knows what about them, access any relevant data, have it amended and, in some cases, deleted. They can now obtain their personal information from you and re-use or transfer it elsewhere — the so-called ‘right to portability’ — and, in some circumstances, they have the right to restrict the use of their data or object to it altogether.

Comply — or pay

Unlike the previous Data Protection Act, the new regulation applies to both ‘controllers’ — those who decide what data to collect — and ‘processors’ — those who actually collect it. This means that, for example, a concierge or a property manager who has access to residents’ personal information will be liable if anything happens to it.

GDPR also requires many companies to appoint a data protection officer and imposes hefty fines for those who break the rules — the old cap of £500,000 has shot up to a whopping €20 million (about £17.6 million), or 4% of the preceding financial year’s total worldwide annual turnover (whichever is higher). Though this new cap is high, most infringements are unlikely to ever incur such a high penalty.

The opportunity behind the headlines

For all these reasons, GDPR has been labelled a marketer’s nightmare — but it’s actually a lot more manageable than it’s been made out to be.

According to law firm Mishcon de Reya, property industry operators won’t always need to obtain consent to process people’s data. As partner Adam Rose writes on the firm’s website, an estate agent can process some property buyers’ data “without expressly obtaining their consent.” Similarly, the Guild of Residential Landlords points out that consent won’t be necessary to carry out a credit check on prospective tenants, although you must inform them that you’ll be doing so.

Even when explicit consent is necessary, though — for example, for email marketing — GDPR can nonetheless provide a huge opportunity for property operators. Because you got rid of useless, duplicate or inaccurate information and are instead gathering data from people that have specifically allowed you to do so, your database immediately becomes a much more valuable asset. After all, it now contains contacts that are likely to be genuinely interested in your company and your products — essentially, qualified leads.

So, if you’re a property developer, you’ll be able to email consumers who explicitly want to hear from you, and are therefore likely to have an active interest in buying a new-build property within a reasonably short timeframe. Create a robust marketing strategy that can capitalise on this and you’ll underpin growth — as well as maximising your appeal in the eyes of prospective investors.

At a time when people are more sensitive about the use of their personal information, transparency in data management can also help to boost your reputation — just think how badly Facebook’s image was hit earlier this year when it turned out that the data of some 87 million users had been harvested and utilised, without people’s knowledge or consent, for political purposes.

In the run-up to GDPR, you’ll likely already have established your lawful bases for collecting information, made an inventory of the data you hold, obtained the appropriate consent, deleted or archived some records, amended your privacy notices and updated your collection, management, access and breach-reporting procedures. So why not step this up and introduce the very best data-handling practices that make your clients feel in control of their own privacy? This can help to build trust and strengthen your relationship with both existing and prospective customers — offering you the opportunity to gain the edge over your competition.

Get ready for the digital economy

Above all, though, GDPR can be the ultimate incentive for you to streamline, modernise and get ready to meet the challenges of the digital economy. Because it forces you to limit the risks linked to data protection and privacy, it’s the perfect prompt to ensure your cybersecurity is up to date. And because it makes you take stock of exactly what information you have at hand, who has access to it and what you’re doing with it, it allows you to experiment with fresh ideas and introduce new processes that help you make an even more effective use of data. So although GDPR is undoubtedly a compliance chore, it’s also your chance to spot and utilise untapped business opportunities.

At Qandor, we provide a friendly, driven environment for professionals who want to learn and share knowledge of the industry, and of how to progress through it with integrity. If you’re interested in discovering more property development insights, just head over to our Advice page.

Kevin Taylor