NEW EU GDPR REGULATIONS COME INTO FORCE LATER THIS MONTH, WHICH WILL AFFECT THE WAY THAT AGENTS AND OWNERS STORE AND PROCESS THE PERSONAL DATA OF EU CITIZENS. IS THE DATA IN YOUR PROPERTY MANAGEMENT SOFTWARE GDPR COMPLIANT?
AT 365VILLAS WE WANT TO ENSURE OUR CLIENTS ARE PREPARED FOR THE NEW LEGISLATION AND HAVE PUT TOGETHER THE FOLLOWING GUIDELINES TO CHECK THAT YOUR DATA IS COMPLIANT.
Before we start, let’s just remind ourselves what GDPR is all about…
The EU’s General Data Protection Regulation (GDPR) is designed to give people more control over how organisations use their data. The regulations overlap with with The Privacy and Electronic Communications Regulations (PECR), which cover the the use of cookies and electronic marketing communications, eg email. Each EU country has a different governing body for GDPR. In the UK, GDPR will replace the Data Protection Act 1998 and will be enforced by the Information Commissioner’s Office (ICO) which have powers to impose hefty penalties up to €20million or 4% of annual turnover (whichever is higher) for organisations that fail to comply with the rules. The fines also extend to organisations that suffer serious data breaches.
GDPR doesn’t just affect large companies. If you have a website or hold any personal information of an EU citizen (including name, email address, phone numbers etc) such as your guests, suppliers and / or employees, you have to be compliant.
In a nutshell, GDPR means you have an obligation to:
- Be clear about the lawful basis upon which you are storing or processing the personal data and only use it for the purpose that which consent was given. There are 6 types of lawful basis (consent, contract, legal obligation, vital interests, public task or legitimate interest). For marketing purposes the basis is usually either consent or contract.
- If you don’t have a lawful basis or permission upon which to store and process personal data, you will no longer have the right to use it for marketing purposes after the 25th May 2018 and the data should be erased
- Ensure you get (or, in the case of older data, have) agreement, in a GDPR compliant format, from the individual for you to store the data, and communicate (via privacy notices and help text) how you will process the data collected, including the rights of the individual to access, remediate or erase the data.
- If you are collecting personal data for more than one purpose, gain separate consent (unbundled and freely given) for each purpose and have a clear, audit-able process for recording (and storing) the date and method of consent.
- Only hold the data you actually need and only store it for as long as you need it
- Keep the information secure and, in the event of a serious data breach, notify the ICO within 72 hours
- If you process the data of under 18’s, have systems in place to verify individuals’ ages and obtain parental or guardian consent for any data processing activity of individuals under the digital age of consent (in the UK, the digital age of consent is 13 years old and over).
Whilst under PECR, you have an obligation to give people privacy rights in relation to electronic communications. PECR includes specific rules on:
- Marketing calls, emails, texts and faxes;
- Cookies (and similar technologies);
- Keeping communications services secure; and
- Customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
The rules on electronic mail marketing are in regulation 22. In short, you must not send electronic mail (email) marketing to individuals, unless:
- They have specifically consented to electronic mail from you.
- They are an existing customer who bought (or negotiated to buy, eg by providing a quotation) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.
Additionally, you must not disguise or conceal your identity, and you must provide a valid contact address so they can opt out or unsubscribe.
For the purpose of this article we have focused on the implications of GDPR (and PECR) for your marketing databases to give you clear recommendations about what you need to do before the May 25, 2018.
Note: please be aware that you probably store, process and use personal data in multiple places other than just in your 365villas property management software, including your website, CRM software, accounting software, payroll software, in offline printed formats and more. You need to be aware, under GDPR, that you have an obligation to only process and store personal data where you have explicitly been given permission to do so, or where you have a legal obligation. When you no longer need (or have to) store personal data, it should be erased. The process of cleansing the data you hold that we describe below for your email marketing can be applied to any data that you hold.
To read our recommendations about making your website GDPR compliant click here.
OK, SO YOU UNDERSTAND THE RULES. WHAT CAN YOU DO TO GET YOUR DATABASES GDPR COMPLIANT BY MAY 25, 2018?
Start by identifying any records where you don’t need consent. Namely:
1. Any non-EU individual (although be aware other regions are looking at similar legislation)
2. Any non-personal business email addresses, eg info@
3. Any previous customers
4. Any individual that has asked you to do something before entering into a contract (eg provide a quote)
Under GDPR you can rely upon ‘contract’ as the lawful basis for processing someone’s personal data when you need to use that data in order to fulfil your contractual obligations or when you have been asked to do something before entering into a contract (eg provide a quote). The same principle applies with PECR. You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning for the purpose of using their data to send marketing communications. Just remember:
- If a personal or non-personal email has previously been unsubscribed, you do not have consent to continue emailing them
- Where you have a lawful basis to send emails, keep your emails relevant, restricting your mailings to similar products or services to those previously purchased (or where you have provided a quote) or to the service / mailing list the individual subscribed to.
- Always include an unsubscribe option in each email you send.
- You should hold a suppression file of hard-bouncing emails and emails that have opted-out and should ensure that un-subscription links work.
Under GDPR and PECR, the resultant lists can be used for email marketing purposes. Provided you respect and record un-subscription requests, to keep your lists clean, you have every right to continue to send marketing emails to this group.
Divide the rest between consented and non-consented emails
For other emails on your list, look through your records and see if there is any evidence that consent has been previously given and divide the remaining list into:
- Consent is provided that is GDPR-compliant
- Consent is provided but is not compliant to GDPR.
- Consent is not provided or has been removed
Let’s take each of these in turn.
1. Consent is provided that is GDPR-compliant
If you have a list of emails that have provided consent to a GDPR standard, you can continue to send marketing emails to this list. We recommend that you continually cleanse and validate the list to make sure it is up-to-date by:
- Check, using an email address checker, to ensure you have accurate information and to reduce bounce rates. There are several websites that provide this service, including Brite Verify
- Screen against the CTPS register for opt-outs. Note: If you have a prior existing relationship with a customer, you do not have to screen the data but take care with very old records as they may not even remember you!
2. Consent is provided that is not GDPR-compliant
For this group, you have until May 25, 2018 to get their consent, so you can continue to send email marketing communications to them. You can obtain consent by running re-permission email campaigns (read our blog article about re-permissioning campaigns here). Don’t limit yourself to emails; to regain permission, you can call them, text them, contact them via social media and even write to them to regain their permission.
Don’t forget: If you do NOT get their permission by May 25th, you have no lawful basis upon which you can store this data and should erase these records.
3. Consent is not provided or has been removed
If you do not have consent to email individuals under GDPR and PECR, you should consider speaking, (not emailing them). You can…
- Undertake ‘customer care’ calls to your customers to establish and categorise their status and to tidy up your database, e.g.
- Dormant customers can be retrieved through incentives and simply through some love and attention
- Lapsed customers that have gone elsewhere (offers to tempt them back?)
- No longer trading/out of business
- Start by segmenting individuals by value (or potential value) and, to maximise your return, start at the top of the list!
- Whilst on the call, gather opt-ins to further marketing (especially relevant if you gathered their information about a particular sale and you want to offer them something completely different)
- Append data that is missing from the database
- Gather preferences for contact, e.g. by email, phone, post, etc
- Record the date and method of any permission you obtain so that you have an audit trail
If you do NOT get permission by May 25th for this group of emails, you have no lawful basis upon which you can store this personal data and should delete these records.
Email marketing after May 25th, 2018
By following the steps above, you will have a fully compliant email list by May 25th, 2018.