How to Comply With New Data Security Rules
April 25, 2018
The effects of a European Union rule that aims to strengthen data privacy and security will be far-reaching, having implications for how businesses across the world—including U.S. real estate brokerages—collect and manage customer information.
The General Data Protection Regulation, or GDPR, takes effect May 25. Because the new rule governs how all websites and businesses treat the data belonging to EU residents, the rule applies to organizations across the world, regardless of whether they do business outside the United States. The National Association of REALTORS® held a Facebook Live discussion Tuesday to help brokerages, associations, and MLSs prepare for the upcoming deadline.
“It kind of changes the way the internet used to work,” NAR Senior Counsel Finley Maxson told the Facebook Live audience, noting that website operators will need to proactively ask visitors for permission to collect their data. “Originally, the internet was opt-out. Now companies have to get individuals’ consent to collect their data, and they have to tell them how they’re going to use it.”
The GDPR covers anyone who is a European resident, regardless of citizenship. The penalties for violating the rule are significant: For serious infractions, companies could be fined 20 million euros (or nearly $24.5 million), or 4 percent of their worldwide annual revenue for the prior financial year—whichever is higher.
The GDPR gives European residents more authority over their personal data, including:
- The “right to be forgotten,” which allows EU residents to ask that their personal data be removed from online depositories. This means you need to know how to locate data you store about web visitors and customers—including passively collected data like cookies and IP addresses used for analytics—and how to delete it.
- The “right of access” dictates that businesses must confirm whether they store data about a particular consumer if that consumer asks.
- The “right of rectification” gives consumers the ability to review their data and request corrections if the data is wrong.
- The “restriction of processing” allows consumers to give you permission to store data, but they can ask businesses not to use it in any way.
- The “right to data portability” allows consumers to request to see the data you have on them without asking for it to be deleted.
Updating Your Practices
The first step for any organization is to figure out what consumer information is being stored and where it’s located. “To know what data you have on consumers, you need to do a data inventory,” Liz Sturrock, NAR’s vice president of information technology, told livestream viewers. She suggested brokers and other leaders reach out to all staff and associates to ensure the company has a full accounting of any personal information that might be stored across departments.
You also need to make sure that your vendors comply with these rules. Many tech companies are already in or working toward compliance, but it’s important to check. “Engage your vendors today. Start talking to them about what they’re doing to prepare for GDPR and what you need to do to ensure their product works safely,” Sturrock said.
Another GDPR requirement is that companies must reach out to new entities about data breaches and must do so within 72 hours of first becoming aware of a leak that’s impacted customer information. “If you do have EU residents’ data, you must provide notice to an authority in each country” where users are affected,” Maxson told the audience.
Both Maxson and Sturrock noted that the GDPR does not apply to the way real estate pros target their marketing to American residents. But given the direction of data privacy and security, Sturrock advised practitioners to begin making efforts to comply right away: “Start the work. If you can’t be compliant by May 25, keep working your plan and showing that you’re making a good-faith effort to comply. Don’t ignore it.”
Even if website operators could somehow prove that none of the information they gather is related to any resident of the EU, it’s possible the United States will institute a similar rule. Sturrock noted that adoption of such a rule in the U.S. depends on the administration in power, but “having laws within the U.S. to help govern this would help protect everyone in the long run.”
Updated: June 22, 2018