GDPR and real estate websites - some things to look for

A rep asked me today about GDPR and what is required to be “GDPR compliant”

It’s a pretty deep topic, and there are a lot of things that have nothing to do with websites but I’m happy to provide some context on what “from a website” perspective you should be looking for.

First - what is GDPR? It stands for General Data Protection Regulation

It’s an EU standard that regulates the use of customer data “specific to the EU” (it is NOT an American or Canadian standard, nor do you need to worry about GDPR if you are not doing any business with or capturing any data from citizens of the EU.

Where people get confused on this though is that it’s not about “where you do business” it’s about “where your customers are” and this includes if you’re capturing leads from the EU.

So in general, if you allow leads from the EU to sign up and you are storing that information in your database or CRM, you are subject to GDPR.

Here are some things to consider/implement to be GDPR compliant on your real estate website.

1: Have a policy that is accessible to customers. This should include how you handle / capture cookies as well as outline how you capture data, where it is stored and provide clear instructions on how to request that data be deleted.

2: Train that policy: Anyone who handles leads and potentially might receive a deletion request must be trained on the “law” of GDPR (make no mistake, this is a serious law, it’s not a guideline and it’s NOT optional)

3: Document and outline the steps internally. Where do requests for deletion go, who is responsible for handling them, what is the SLA on handling data requests and how do you audit it?

4: Keep records: It’s important you keep data records of how you captured the data in the first place, where the consumer signed up, their activity while on the platform, a record of their request to make changes to their data storage, and a record of it’s deletion.

While we do recommend hiring a GDPR specialist if you want to dive deep into GDPR here are a few features of Renaissance / REW CRM that help you stay compliant:

REW CRM: Our CRM already tracks all visitation data including things like when and how a user signed up (what page, what form, even the IP address) so the tracking part is done for you all the way up to when it is deleted. (We don’t track after it is deleted because well… to be compliant we must delete ALL historical data on a lead) < so you have to track the deletion. Though if you do truly delete it, this should never come up.

Renaissance: Delete my account mechanism:

In the latest versions of REnaissance, there is a feature built into the users’ dashboard where they can request their account be deleted. Note this does NOT delete their account. What it does is send an email to the website administrator that the request has been submitted, and it is “up to the administrator to delete the account” < remember this NOT optional, you have to do it. So just delete it!

Why not have it auto-delete? This is protection from hackers or other nefarious acts that try to feed hundreds or thousands of emails to the request and delete your valid data. You should review every request and make sure there is nothing suspicious about it.

Cookie notification and management:

This is a good idea as well (and also required for a newer California-specific regulation)

Using this feature provides extra consumer choice and notifications about how you capture and store data.

Note - these features are updated Renaissance only and do not exist on any previous versions of REW CRM or custom real estate websites. So be sure to upgrade ASAP if GDPR is important to you. If you have a deprecated platform from many years ago (such as a Vision or Barbara) it is highly recommended you upgrade to Renaissance.

If you cannot upgrade for some reason right now but really want these things addressed, you can book a custom project and basically just point them to this thread and tell them “make those features for me on my site” - copying these features and creating them on old platforms is likely quite expensive though (it’s not an easy copy paste of code) and so it is still probably cheaper / easier to just upgrade.

Recap

Parts you have to do:

  • Write a policy and make sure you link to it. (including how you store their data)
  • Provide a mechanism for consumers to request deletion
  • Delete records completely (no soft deleting) when requested and do it inside of 72 hours

Parts Renaissance does

  • Stores records of lead capture, visits, etc
  • Provides mechanism for requesting deletion
  • Has optional cookie storage/notification system

In a nutshell that’s basically it for being GDPR compliant from a “website” perspective.

As for other modes of data / lead capture and storage we recommend you visit the GDPR official website or contact a professional GDPR consultant to go over your additional use cases.