In this month's newsletter, I have briefly touched upon the Arla Property Mark article about General Data Protection Regulation (GDPR) changes from May 2018 and how it will affect property businesses. You can read their article here:
The way we handle data is changing
The way information is stored now must be clear and concise. If the website has a contact option, then it must state clearly and in simple terms what the data will be used for and cannot be used outside of these remits.
Below I have highlighted key points to be aware of but the ICO are constantly changing their live document, so it is worth keeping an eye out on their site. The goal posts change regularly.
Be sure to check out the Information Commissioner Office website ico.org.uk for up to date information.
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes.
There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.
Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent.
Public authorities and employers will need to take care to ensure that consent is freely given.
Consent must be verifiable, and individuals generally have more rights where you rely on consent to process their data.
Remember that you can rely on other lawful bases apart from consent – for example, where processing is necessary for the purposes of your organisation’s or a third party’s legitimate interests.
You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR.
But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard of being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.
If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
Good practice has always been that you include Opt-Out requests on all email communications and a double Opt-In system. But now you have a legal obligation to comply with these requests.
There must be explicit consent given to marketing communications – you can’t have pre-ticked boxes or assumed consent.
People have to know who will have access to that data, and what they are signing up for. This should be covered by your policies.
If you can show you have put steps in place to comply the ICO will be less likely to fine companies upon inspection. For your own business, it is important to audit your processes and prepare.
Be prepared for the change. This PDF on preparing on the GDPR highlights 12 steps you should be taking now. Don’t get caught out.