The EU Privacy Laws, also known as the General Data Protection Regulation (GDPR) will go into effect on May 25th, 2018 .This rule may seem like it shouldn’t impact you because you’re real estate website is based in the United States. However, it has a rather profound impact you your company and your real estate website.
This video features Meg White from REALTOR Magazine discussing the GDPR with Finley Maxson, NAR Senior Counsel and Liz Sturrock, NAR Vice President of Information Technology. Many of the questions you may be asking will be answered within the video.
- What are the EU Privacy Laws?
- How is the GDPR Different?
- Best Practices for Compliance with the GDPR
- Make sure Your Vendors are in Compliance
- Penalties for Non-Compliance
- What to do if there’s a Data Breach?
- Does the GDPR Impact how Real Estate Companies Target United States Residents?
- New Rights of European Residents Under the GDPR
- Defining Personal Data
- The Bottom Line
- 25 of The Best Real Estate Agent Websites for 2019 [Get the List]
- How to Create a Saved Link in IDX Broker
- Are Real Estate Agent Websites Dead?
What are the EU Privacy Laws?
The Eu Privacy Laws or GDPR is a new regulation replacing the old Data Protection Directive 95/46/EC. It was debated for about four years before final approval was granted by the EU Parliament on April 14th of 2016. The regulation is designed to harmonize the laws governing data privacy across Europe.
How is the GDPR Different?
The GDPR changes the way websites will be able to collect and use data. Right now, when a visitor shows up and uses your website, they are giving what’s known as implied consent. However, the EU Privacy Laws will change the way consent is given.
The reason the GDPR will impact United States real estate businesses is due to the protection it provides. This new regulation doesn’t care where the business or owner of the website is located, it cares about the user. If the person is an EU resident, the GDPR applies.
Best Practices for Compliance with the GDPR
Most real estate companies will have to change the way they handle consumer information. The first step will be to figure out where this information is stored and how to locate it.
It’s necessary to speak with your entire staff and all your associated to ensure you have a full accounting of all the data you have and where it’s currently stored.
Achieving compliance doesn’t have to be difficult. At first, you will likely add a pop-up window or a “lightbox” feature to your website asking the user to give consent. This is an easy way to ensure you’re in compliance moving forward.
In addition, website owners will need to add a form to their website to offer the option for EU residents to be forgotten. This can also be accomplished by providing an email address where you can be contacted if a user wants to be forgotten.
Your vendors are also important as you’re liable for how they use the data they collect from your website. Make sure your vendors will be complying with these new rules.
Make sure Your Vendors are in Compliance
Since website owners will be liable for the activities of their vendors, it’s important to make sure they are in compliance. Marketing companies love to use personal data and sensitive personal data for marketing.
Sensitive personal data includes:
- Racial or ethnic data
- Political opinions
- Religious and philosophical beliefs
- Trade union memberships
- Genetic data
- Health data
- Sex Life and Sexual Orientation
Be sure your marketing team won’t be improperly using any data collected on your website.
Then, if you use forms, ask if the person is an EU resident at the very beginning of the form. If they are, you will know this data needs to be handled in a certain way.
Penalties for Non-Compliance
If you don’t become compliant, you may face very stiff penalties. An organization may be fined up to 4% of the annual global turnover if they are in breach of the GDPR or 20 million pounds. This is the maximum fine and will likely be reserved for the most serious infringements, such as not having the customer’s consent to process their data.
The fines used for non-compliance use a tiered approach. For example, a company may only be fined 2% if they don’t have their records in order. These rules apply to both processors and controllers.
What to do if there’s a Data Breach?
What happens if you’re hacked or someone steals consumer data from your website? If this happens, and you have EU resident data as a part of the stolen data, you have 72 hours to contact the authorities for each country where users reside.
Does the GDPR Impact how Real Estate Companies Target United States Residents?
The short answer is No, but there’s more to it than just saying it doesn’t impact the way you target residents of the U.S. Both Sturrock and Maxon agreed in the video that the GDPR is the way data privacy and security is headed. It’s better to become compliant now and not have to worry about it later as states or the federal government start to change the way data privacy is handled in the United States.
New Rights of European Residents Under the GDPR
When the EU Privacy Laws into effect on May 25th, 2018, EU residents will have new rights including:
- The Right to be Forgotten – This right allows EU residents to ask a website or company to remove their online depositories and data. If someone requests this removal, you will have to find their data and dispose of it. This includes cookies, IP addresses and other data collected for analytics.
- The Right to Data Portability – This right allows an EU resident to request the data you have on them and you must provide it.
- The Right of Access – This right allows an EU resident to ask a business if they have data on them, and if they do, the business must inform them of the data.
- The Right of Restriction of Processing – This right allows EU consumers to give permission to a business to store data, but they can also ask that the business doesn’t use that data.
- The Right to Rectification – This right allows an EU consumer to review their data and have any errors corrected.
Defining Personal Data
In order to remain compliant with the GDPR, it’s important to define personal data. Any information about the person or related to the person is considered to be personal data. If the data can be used to indirectly or directly identify the person it’s considered personal data. This may include a picture, bank details, medical information, a computer IP address, an email address, a name or even posts on a social networking website.
The Bottom Line
When it comes to the GDPR, it’s important to make sure you’re in compliance. Watch the video above and make sure you take the steps now to become compliant. Don’t wait until it’s too late.
If you have a plan in place and you’re working on becoming compliant, but you don’t get there by May 25th, keep working on becoming compliant. The sooner you can comply with the GDPR, the easier things will be move forward.