The General Data Protection Regulation legislation coming into effect in the UK on May 25 has undergone some subtle changes which will affect the property sector according to one of the industry’s leading law firms.
Adam Rose, a partner in the Mishcon de Reya law firm, has outlined the changes in a newsletter to clients, which may prove useful to Estate Agent Today readers.
Firstly, Rose says the definition of ‘personal data’ has been clarified by the authorities to suggest that it not only covers names, addresses and telephone numbers, but also IP addresses and other online identifiers.
“So if you provide free WIFI in your building, and collect the IP addresses of all users, this will be caught by the GDPR” he says.
Secondly, it was previously thought that GDPR particularly applied to ‘data controllers’ but it is now clear that ‘data processors’ are affected too - in other words, those individuals who process the data.
Rose writes: “So if a property manager is given the contact details of every person working or living in a building, or has the record of every person's entry and exit in the building, they will be caught by the GDPR.”
Thirdly, Mishcon draws upon additional information revealed by the UK’s data regulator, the Information Commissioner’s Office, concerning consent for the use of personal data.
Rose writes that it is a common misconception that businesses always need consent to process personal data. “In fact”, he says, “they can rely on one of probably three other lawful bases for processing personal data. Most importantly, they might have a legitimate interest in processing the data, which is not outweighed by the individual's data rights.”
He goes on to say that, for example, “an estate agent instructed to sell a property can process data relating to people looking to buy properties without expressly obtaining their consent. Indeed, to force them to consent to processing before agreeing to share property particulars with them might mean the consent was not freely given.”
He continues: “ Consent, however, is required for direct email and SMS marketing – unless a limited exemption applies. That limited exemption is where a business has collected personal contact details in the course of a sale of goods or services, it may send electronic marketing to that person for its same or similar goods or services. That is known as the 'soft opt-in’.”
Rose also says an additional myth surrounding the penalties related to GDPR need to be ‘busted’. This concerns the level of fines, which have been described as being as high as €20m.
“That is theoretically true but the ICO has tried - perhaps somewhat unsuccessfully given the myth continues – to dampen down that fear” says Rose, adding that following liaison with the Information Commissioner he would expect fines to reach £1m or £2m “for really serious breaches, but not to go beyond that for some time”.
Join the conversation
Jump to latest comment and add your reply
“ Consent, however, is required for direct email and SMS marketing – unless a limited exemption applies. That limited exemption is where a business has collected personal contact details in the course of a sale of goods or services, it may send electronic marketing to that person for its same or similar goods or services. That is known as the 'soft opt-in’.”
This statement contradicts everything that I have learned so far on GDPR which says that express permission is required to retain a customers details for marketing purposes. Anyone have any further insight on this?
This is part of the information from ICO regarding the soft-opt in for existing customers.
Existing customers: the ‘soft opt-in’
131. Although organisations can generally only send marketing texts
or emails with specific consent, there is an exception to this
rule for existing customers, known as the ‘soft opt-in’. This
means organisations can send marketing texts or emails if:
they have obtained the contact details in the course of a
sale (or negotiations for a sale) of a product or service to
that person;
they are only marketing their own similar products or
services; and
they gave the person a simple opportunity to refuse or opt
out of the marketing, both when first collecting the details
and in every message after that.
“So if you provide free WIFI in your building, and collect the IP addresses of all users, this will be caught by the GDPR” he says.
My understanding is; you only get an IP address when you connect to a network. So on 4G you will have an IP o2 for example will have given you. When you connect to a wifi network it will give you 192.168.0.2 for example. It would only log the IP address it gives you not your 4G IP address. So my understanding is, this statement is not correct.
Collecting IP address is on GDPR, but from you visiting a website and them collecting your IP address is one example.
Please login to comment