Latest News

One in five sellers experience a sales collapse

17 May 2018

More than 300,000 property transactions fall through every year due to buyers pulling out of the deal, costing sellers a total of £400 million. Read More...

GDPR and consumer rights

16 May 2018

With General Data Protection Regulation (GDPR) just around the corner, it is important to understand the effect consumer rights could have on the way you process and hold information. Read More...

OnTheMarket signs up 8,000 agent branches

14 May 2018

According to the latest figures, OnTheMarket now has listing agreements with over 8,000 agent branches, adding an additional 2,500 branches since floating on the stock market earlier this year. Read More...

British homeowners priced out of their own properties

11 May 2018

New research has revealed that a third of British homeowners would not be able to afford their current homes if they were listed for sale on today's housing market. Read More...

 

 

General Data Protection Regulation is coming

Monday 17 July 2017

As of May 2018, General Data Protection Regulation (GDPR) will apply to all UK businesses.

After four years of preparation and debate, the EU General Data Protection Regulation was finally approved by the EU Parliament on 14 April 2016. Replacing the 1998 Data Protection Act, GDPR will come into force on 25 May 2018 and will directly apply to all European Union members states. 

The GDPR has been designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

With new elements to contend with, it could take months for UK businesses to get ready. That is why it is important to start putting measures into place now, to ensure that you and your business are prepared. Those who are non-compliant by the implementation date could face heavy fines.

What you need to know

This is the biggest shake up to Data Protection since the introduction of the Data Protection Act in 1998, and whilst May 2018 may seem a long way off, it will be here before you know it. The key articles of the GDPR to be aware of are:

  • GDPR will apply to all UK businesses despite Brexit.
  • You must have a valid lawful basis in order to process personal data.
  • Companies will no longer be able to use long illegible terms and conditions full of jargon.
  • Customers will have the right to request confirmation as to whether or not personal data concerning them is being processed and for what purpose. When requested, companies are required to provide a copy of the personal data, free of charge, in an electronic format.
  • Customers have the right to request their data be removed and further distribution ceased in specific circumstances (e.g. where the individual withdraws consent).
  • The collection of online identifiers such as IP address, cookies and tags also fall under the remit of 'personal data'.
  • The use of external marketing agencies will require you to have an official written contract to ensure they are fully compliant with the new law.
  • Notifiable data breaches need to be reported to a data protection authority and the people affected within 72 hours, where feasible.

Companies that are not GDPR-ready by May can face fines of up to four per cent of their global annual turnover, and if a notifiable breach takes place and your agency does not inform the supervisor authority within 72 hours, you could be fined up to two per cent of your global annual turnover.

What you need to do

Map out which parts of the GDPR will have the greatest impact on your business model and give those areas due prominence in your planning process. Here’s 11 steps to take now -

  • Inform the decision makers and key people in your organisation that the law is changing.
  • Document what personal data you hold, where it came from and who you share it with.
  • Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  • Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically in a commonly used format.
  • Update your procedures and plan how you will handle access requests and provide any additional information within the new timescales.
  • Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
  • Review how you seek, record and manage consent and whether you need to make any changes. You will need to refresh existing consents now if they don’t meet the new GDPR standard.
  • Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
  • Familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
  • Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
  • If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

Whatever stage of implementation you are at, the ICO has created a self-assessment toolkit to help you evaluate your level of compliance with the new data protection regulations, and find out which areas within your business you need to develop to get ready for GDPR.