Not a day has gone by without some ‘expert’ or other telling us about the GDPR May 25 ‘deadline’ and of course the potential for a €20m penalty for breaching the Regulations.
Having been around compliance for far too many years it amuses and irritates me in equal measure, because it happens every time there is any new legislation.
Here’s my take on it. There is not an agent in the UK that will ever be issued with a €20m penalty. It is simply not possible! The figure is bandied around just to scare the living daylights out of businesses. And, given the calls I have had from agents, it has definitely done that.
Furthermore, the concept of a May 25 deadline gives the impression that agents will be penalised on May 26 if they haven’t put everything in place to comply. This again is nonsense. No agent will be penalised on May 26, even if they have done absolutely nothing to upgrade compliance.
Elizabeth Denham, the Information Commissioner, said in a statement: “I want to reassure those that have GDPR preparations in train that there’s no need for a Y2K level of fear. GDPR compliance will be an ongoing journey. It’s an evolutionary process for organisations.”
I believe that it is almost inconceivable that Information Commissioners Officers will proactively enforce the legislation in the early stages for several reasons.
First, because they will not have the manpower or resources to do so. I know of only three agents that had ICO action taken against them under the Data Protection Act in the past five or six years.
Secondly, the Regulation covers ever single business in the EU that holds even a small amount of personal information about individuals, and so does anyone really believe that little estate agency businesses will be anywhere near the top of any priority list? Of course, they won’t.
Thirdly, there are multiple interpretation issues still to be resolved and more will arise as matters progress.
Lastly and probably the most important is that the ICO have far bigger fish to fry than small estate agency businesses.
We have all heard of the problems these large international organisations have had in the past with compliance to the Data Protection Act. They are the ones that should worry, because surely, the ICO will focus on them – if only because that is where the big penalties are lurking!
Look back at Anti-Money Laundering enforcement by HMRC. They only really had estate agents to think about and who did they hit early on? The corporates. Why? Big penalties!
I don’t want any agent to think that they can be complacent, because that would be trivialising the obligation changes, when they are important. I also do not want agents to think it will be fine to sit back and wait, because it won’t be.
The biggest risk for agents will be email marketing and the potential for complaints to be made. If the correct route isn’t taken when consumers’ personal data is obtained or when consumers tell agents they want to ‘opt out’ or be ‘forgotten’, it will leave agents open to a complaint. In these cases, you may be looking at paying compensation, so get that right. Oh, and watch out for the professional compensation chasers.
Given the points made above I do not believe that 100% compliance is possible currently, but implementing a set of basic changes over the next couple of months will get most agents into a reasonably compliant state and this can be improved, where necessary, in the months that follow.
With this in mind Compliance-Matters have put together a compliance pack specifically aimed at agents. It includes an audit form to complete, which gives advice where a non-compliance is indicated. It also includes several template documents and clauses for agents to adapt to fit with their business model, including a policy template.
Article by David Beaumont Property Industry Eye Published 22nd March 2018
David Beaumont runs EYE’s free compliance helpline and heads up Compliance-Matters, a business specialising in providing compliance services to agents on the many requirements agents must meet