GDPR FAQs for Realtors with websites
In exactly one week, the European Union's new data laws go into effect. Here's what REW clients need to know...
What is GDPR?
GDPR is the acronym for General Data Protection Regulation, which is a series of laws that will go into effect in one week, on May 25, 2018.
GDPR tackles 7 different principles of data collection and protection, a few of which apply directly to real estate sites:
- Principles relating to the processing of personal data
- Lawfulness of processing
- Conditions for consent
Simply put, GDPR wants to ensure that businesses are collecting personal data in a way that is accurate, ethical and responsible, and that personal data is kept safe and confidential at all times.
What are the rules of GDPR?
Until legal precedents are set, we can't know the minutia of what's compliant and what isn't. However, GDPR has put together some fairly clear guidelines on what a website owner can and can't do when collecting the personal data of European.
Let's talk about a few of the bigger examples:
Transparent data collection
Companies collecting personal data have to clearly explain how their data will be used. Blanket terms and generic statements aren't enough—if you're going to share data with a lender, your consent disclaimer must explicitly state that you'll be sharing data with lenders.
Right of access
This section of the GDPR dictates that people have the right to know what data you've collected, including the source and details of data collected elsewhere, as well as who you have shared that information with.
Right to erasure
Also known as the "right to be forgotten", companies must promptly delete all data stored about a person, upon their request. For example, if a lead asks you to delete their contact information, you must fully remove them from your system and be able to prove that you have done so.
Right to object
According to GDPR, people also have the right to opt out of your direct marketing at any time. If a lead asks you to stop using their data for your marketing tactics, you need to respect that and never market to them again.
The GDPR is a particularly comprehensive set of rules and regulations that took over four years to perfect. There are a lot of details that need to be considered when collecting, storing, and sharing personal data under the GDPR.
If you're marketing to Europeans, it's critical that you do your research on all the rules and restrictions of GDPR. You can get started by viewing the General Data Protection Regulation PDF here.
Does GDPR apply to my REW real estate site?
Probably not. In order for the GDPR to apply, you need to be actively marketing or selling to people within the EU and collecting their data. Because most of our clients are based in North America and don't target European countries, GDPR compliance isn't necessary, even if European leads register on the site.
Of course, there are exceptions. GDPR likely will apply to you if:
- You sell European properties, or
- You market to international buyers
For example, if you create a PPC landing page that talks about why Europeans should buy in your state, GDPR applies. If your business tries to get business from European buyers or sellers, you'll need to ensure your site is GDPR compliant.
How do I know if my website is compliant?
The best way to confirm GDPR compliance is to hire an expert. There are many companies that specialize in reviewing a website's compliance and then making recommendations.
For those who prefer a DIY approach, Microsoft has put together a series of three assessments that you can use to determine where you're at and how you should improve. You can find Microsoft's GDPR assessments here.
What are the consequences of violating GDPR?
The lawmakers behind GDPR want companies to take data protection seriously and have therefore imposed serious fines that will sting a business of any size. A company can be fined up to $30 million or 4% of annual revenue—whichever amount is higher.
Do European laws actually apply to me?
International law is complex. One of the greatest debates of the modern world is who has the jurisdiction to regulate and enforce rules across the internet. While a lawsuit can certainly be filed against someone in another country, it's unclear what the repercussions would be if you didn't comply. But then again, do you really want to find out?
Where can I learn more?
There are lots of places you can learn more about GDPR. Here are a few resources to get you started: