What Might GDPR Mean to Your Management Company? By Nancye Kirk
Last week—May 25, 2018, to be precise—was a milestone in the European Union. That was when the EU’s General Data Protection Regulation, better known by its acronym GDPR, went into effect. It is destined to have a significant impact on any organization that collects, uses and processes “personal data” of any resident of the EU.
Businesses do not have to be located in the EU to fall under GDPR. The law impacts every business that markets and sells goods or services to EU residents online or holds personal data of EU citizens, even if the business has no physical presence in the EU. So that means if a company has no offices or staff in any EU country, and even no customers in the EU, but it in any way processes and stores personal data on EU residents or customers, it falls under the jurisdiction of GDPR. In short, if an organization does any business with the EU or with EU consumers, GDPR most likely will apply.
IREM is paying attention. After all, IREM has members in the EU and collects personal data from those members as well as others who might contact IREM through its website. Property management companies also might have personal data on tenants from the EU or prospects from the EU who contacted them via their websites.
As outlined in the May/June issue of JPM, the underlying principle of GDPR is that data protection should be on every company’s compliance checklist, become standard operating procedure to the way organizations operate, and not be treated as a casual afterthought—sage advice for companies everywhere and in all business sectors, including property management. With this in mind, some of the concepts on which GDPR is based and worthy of consideration even outside of the EU are these:
Consent. Any time that data is collected and processed, those involved will need to be informed to gain consent. This might be collected as part of a manual process or be entirely automated. Affirmative consent is required before processing an EU consumer’s data. As stated in the GDPR regulations, that consent has to be “freely given, specific, informed and an unambiguous indication of the data subject’s wishes.” The request for consent must be provided in clear and plain language—no more of those long, legalese-packed terms and conditions—with the purpose for data processing attached to that consent.
Lawful processing and storage limitations. The collection and use of personal data must be limited to that which satisfies the specific reason for which it was collected and should be stored only long enough to carry out that purpose.
Access to data. EU residents have the right to obtain copies of all data collected about them in a readily usable electronic format and to correct errors in that data.
Right to be forgotten. Also known as erasure, individuals have the right to have their data erased “without undue delay.”
Notification of breach. GDPR specifies that a business has 72 hours after a breach is discovered to report it to the appropriate “supervisory authority” whenever the break is likely to “result in a risk for the rights and freedoms of individuals.” Of note is that 48 states in the U.S. plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands have some type of data breach notification requirements that address who must comply with the law, definitions of “personal information,” what constitutes a “breach,” and requirements for notice.
GDPR also provides for enormous penalties on those who fail to follow its directives: Fines of up to 20 million euros (nearly $25,000,000) or 4 percent of a company’s global revenue, whichever is larger.
In the near term, GDPR could have limited impact on real estate management companies in North America and other countries outside the EU. In the longer term, it could be a harbinger of things to come elsewhere in the world and thus warrants attention. Whether required by law or not, management companies should be assessing their privacy and data security risks and implementing policies and procedures to protect the personal information and data they maintain. Attentiveness is particularly important as laws are enacted and industry guidance evolves to keep up with technological advancements.