Not a day goes by without some ‘expert’ or other telling us about the 25th May ‘Deadline’ and of course the potential for a €20 million penalty for breaching the Regulations.
Having been around compliance for far too many years it amuses and irritates me in equal measure!
Some older readers may remember the end of the world being 1991 when the Property Misdescriptions Act was introduced and how that was going to kill estate agency. Then we had the Millennium Bug! (How much did organisations pay out on that back in the day!) HIPS was the same. Money Laundering was another.
We all know none of them had much, if any, impact. Will GDPR be any different? No, it won’t.
We all know, or should know why there is scaremongering over GDPR!
I have seen a quote for £8,000 + VAT that was given to a one branch agent for getting them GDPR compliant. It is outrageous to think that is what’s required. The Millennium bug definitely came to mind when I read that quote!
Heres my take on it. There is not an agent in the UK that will ever be issued with a €20 million penalty - It is simply not possible! The figure is banded around just to scare the living daylights out of agents. And, given the calls I have had from agents, it definitely has done that.
Furthermore, the concept of a 25th May deadline gives the impression that agents will be penalised on 26th May if they haven’t put everything in place to comply. This again is nonsense. No agent will be penalised on 26th May, even if they have done absolutely nothing to upgrade compliance.
Elizabeth Denham the Information Commissioner said in a statement, “I want to reassure those that have GDPR preparations in train that there’s no need for a Y2K level of fear. GDPR compliance will be an ongoing journey. It’s an evolutionary process for organisations”
I believe that it is almost inconceivable that Information Commissioners Officers will pro-actively enforce the legislation in the early stages for a number of reasons –
Firstly, because they will not have the manpower or resources to do so. I know of only 3 agents that had ICO action taken against them under the Data Protection Act (DPA) in the past 5 or 6 years.
Secondly, the Regulation covers ever single business in the EU that holds even a small amount of personal information about individuals and so does anyone really believe that little estate agency businesses will anywhere near the top of any priority list. Of course, they won’t.
Thirdly, there are multiple interpretation issues still to be resolved and more will arise as matters progress.
Lastly and probably the most important is that the ICO have far bigger fish to fry than small estate agency businesses. We have all heard of the problems these large international organisations have had in the past with compliance to the DPA. They are the ones that need to worry, because surely, the ICO will focus on them – if only because that is where the big penalties are lurking!
Look back at Anti-Money Laundering enforcement by HMRC. They only really had estate agents to think about and who did they hit early on? The corporates. Why? Six figure penalties!
I don’t want any agent to think that they can be complacent, because that would be trivializing the obligation changes, when they are important. I also do not want agents to think it will be fine to sit back and wait, because it won’t.
The biggest risk for agents will be email marketing and the potential for complaints to be made. If the correct route isn’t taken when consumers personal data is obtained or when consumers tell agents they want to ‘opt out’ or be ‘forgotten’ it will leave agents open to a complaint. In these cases, you may be looking at paying compensation, so get that right. Oh, and watch out for the professional compensation chasers.
Implementing a set of basic changes over the next couple of months will get most agents in to a reasonably compliant state and this can be improved, where necessary in the months that follow.
So here is my quick guide to get you on your journey -
· Carry out a compliance audit to identify weaknesses and failings
· Produce a GDPR policy document
· Make improvements to your processes and data security
· Ensure you have a fair processing notice, privacy statement, cookie policy on your website
· Have data usage statements in the right places
· Ensure consumers are opting in if you want to do anything with their data that they wouldn’t expect an agent to do.
For expert advice contact us.