How to Comply With New Data Security Rules

April 25, 2018

The effects of a European Union rule that aims to strengthen data privacy and security will be far-reaching, having implications for how businesses across the world—including U.S. real estate brokerages—collect and manage customer information.

The General Data Protection Regulation, or GDPR, takes effect May 25. Because the new rule governs how all websites and businesses treat the data belonging to EU residents, the rule applies to organizations across the world, regardless of whether they do business outside the United States. The National Association of REALTORS® held a Facebook Live discussion Tuesday to help brokerages, associations, and MLSs prepare for the upcoming deadline.



“It kind of changes the way the internet used to work,” NAR Senior Counsel Finley Maxson told the Facebook Live audience, noting that website operators will need to proactively ask visitors for permission to collect their data. “Originally, the internet was opt-out. Now companies have to get individuals’ consent to collect their data, and they have to tell them how they’re going to use it.”

The GDPR covers anyone who is a European resident, regardless of citizenship. The penalties for violating the rule are significant: For serious infractions, companies could be fined 20 million euros (or nearly $24.5 million), or 4 percent of their worldwide annual revenue for the prior financial year—whichever is higher.

Updating Your Practices

The first step for any organization is to figure out what consumer information is being stored and where it’s located. “To know what data you have on consumers, you need to do a data inventory,” Liz Sturrock, NAR’s vice president of information technology, told livestream viewers. She suggested brokers and other leaders reach out to all staff and associates to ensure the company has a full accounting of any personal information that might be stored across departments.

Under these new rules, businesses will be responsible for notifying online visitors of their rights, which means most will have to change their websites’ terms of use. Most site administrators have been using what’s known as “implied consent,” but now they’ll have to shift to “affirmative consent.” “It used to be that internet users automatically agreed to the terms of use by simply visiting the website,” Maxson explained. But now sites have to explicitly ask for consent, most often through a pop-up window or “lightbox” feature.

In addition to asking web visitors to actively demonstrate that they agree to your terms of use, Sturrock suggests finding ways to make it easy for EU residents to exercise their new GDPR rights. “Put a web form on your website offering visitors the opportunity to be forgotten,” Sturrock suggested, “or put up an email address where they can contact you.”

You also need to make sure that your vendors comply with these rules. Many tech companies are already in or working toward compliance, but it’s important to check. “Engage your vendors today. Start talking to them about what they’re doing to prepare for GDPR and what you need to do to ensure their product works safely,” Sturrock said.

Another GDPR requirement is that companies must reach out to new entities about data breaches and must do so within 72 hours of first becoming aware of a leak that’s impacted customer information. “If you do have EU residents’ data, you must provide notice to an authority in each country” where users are affected,” Maxson told the audience.

Both Maxson and Sturrock noted that the GDPR does not apply to the way real estate pros target their marketing to American residents. But given the direction of data privacy and security, Sturrock advised practitioners to begin making efforts to comply right away: “Start the work. If you can’t be compliant by May 25, keep working your plan and showing that you’re making a good-faith effort to comply. Don’t ignore it.”

Even if website operators could somehow prove that none of the information they gather is related to any resident of the EU, it’s possible the United States will institute a similar rule. Sturrock noted that adoption of such a rule in the U.S. depends on the administration in power, but “having laws within the U.S. to help govern this would help protect everyone in the long run.”

—REALTOR® Magazine