Why Should U.S. Agents and Brokers Care about GDPR?

General Data Protection Regulation, or GDPR, is finally getting the most buzz among U.S. businesses. More so than just about anything that's happened in Europe since the European Union went after Microsoft for antitrust concerns.

GDPR takes effect May 25, 2018 and covers how European residents' information can be collected and stored online, as well as EU residents' ability to access and restrict that data. It covers what is known in the U.S. as Personally Identifiable Information, see here. This new law also requires companies to notify its European users of any data breach swiftly. So why all the U.S. interest?

Here's why: This law applies to every U.S. real estate website, blog or app if at any point it collects personal information from a European resident. The resident only needs to be in Europe when the data is collected. A financial transaction does not have to take place.

So, if you are a US-based company that encourages people to register for your blog, or if you store searches on your website, or if you collect users' full contact information in an app, you will have to comply with GDPR even if just one person is a European resident whose personal data was submitted or collected while that person was in Europe.

What does GDPR cover?

The GDPR deals with consumer privacy and personal data in six primary areas:

• Right of Consent: EU residents must first give their consent (positive opt-in) before personal data can be collected, and the entity must provide full transparency: EU residents have the right to know what data is being collected, where it is stored, and how the data is being used or processed.
• Right of Access: EU residents have the right to obtain access to their personal data from any entity that stores their information.
• Right to be Forgotten/Right of Removal: EU residents may demand that an entity that stores their personal information removes and erases their personal data from any and all information sources.
• Right of Data Portability: EU residents may require an entity to transmit their personal data directly to another entity and require the data transmission be done securely.
• Right to Restrict Processing: EU residents have a right to block or limit the processing or use of their personal data. When the use of personal data is restricted, an entity may store a user's personal information, but not use it for other purposes beyond the ones approved and authorized by the user.
• Right to notification of a security breach: EU residents must be notified of a security breach if their personal data is at risk. They must be notified within 72 hours of the incident by the entity responsible for storing their data.

The real kicker: no fixed-period limits the data storage – it endures for the life of the business, meaning for as long as you have the data, the user can request it, even if you are no longer using it.

As you can see, the new GDPR is one heady law. It's why companies throughout the U.S. are scrambling. Experts estimate it will cost U.S. companies billions of dollars to comply. Just think of the impact on a large corporation. If you are storing data on a million customers, and say only .05 percent request their data per year, that's still 50,000 customers to whom you have to provide their data records. To put it in perspective, that's nearly 200 data-record requests a day that a firm would need to fulfill.

What are the penalties?

GDPR penalties are apparently driving the last-minute scramble. After all, the law was announced two years ago with its May 25, 2018 start date. The fines range from 10 million Euros ($12.3 million) or 2 percent of global revenue – whichever is higher – to 20 million Euros ($24.6 million) or 4 percent of global revenue.

But how are they going to collect?

It turns out that European laws have long arms that do stretch into the U.S. Some legal experts point to the EU-U.S. Privacy Shield data sharing agreement. This allows for the EU to issue complaints and fines against U.S. companies that do not have a physical presence in the EU.

What can you do?

Because the penalties are so vast, some real estate agents are not taking any chances. If agents and brokers are part of a franchise, they are relying on their parent organization for compliance. The same is true with their technology partners, such as their CRM and marketing technology providers. That's a leap of faith, as surveys have shown that a large percentage of firms in all industries are still mostly unaware that GDPR can drastically impact them and their clients.

Other agents are just not taking any chances. They are altering their website forms to prompt the user to indicate if they are a European resident. If they are, the form warns that it is not to be completed by a European resident unless it is being completed either within the U.S. or a non-European location and confirming this on a checked box. Either of these would make the collected data exempt from GDPR.

Others are merely pulling all forms from their website. As one agent suggested in a Facebook discussion group on the topic, "I never get any real information on these forms on my website anyway, so for me, they are pretty worthless."

If you are ambitious and want to figure out on your own how your website can comply with GDPR, the blog site for WordPress websites, WP Estate has a detailed article, "How to make your website GDPR compliant" here.

The key highlights of the article recommends:

1. Rewrite your privacy policy: It needs to be in clear, simple language how you collect and use personal data, where it is stored and for how long. You need to inform users how they can see the information you have stored, and the process of getting it removed from your system.
2. Get an SSL certificate: A Single Socket Layer certificate ensures that when data passes, it remains private and secure. These are sites that have the https:// at the beginning.
3. Add distinct website forms: No more pre-checked boxes. Everything you ask for must be opted in. Methods of being contacted must be separated, i.e., one for email, phone, mail, etc.
4. Add opt-out solutions: Users need to be able to opt out immediately from any communication, and it should be simple.
5. Online payments: GDPR wants payment data deleted after the payment process; this website recommends deletion within 90 days.
6. IP tracking: GDPR considers an IP address personal data, so if you track and store IP addresses, say in any of your analytical tools, you will need to disclose this.
7. Data breaches: You only have 72 hours to notify customers of a data breach if their personal information was compromised. High-risk breaches must also be reported to Information Commissioner's Office website (ICO).

The one area the article does not address is perhaps the larger task: once your website and/or app is GDPR compliant, how do you make sure you can provide the data requested in the format required? For now, the rush is on to check all the compliance boxes. Looking ahead, once GDPR is in place, European residents are going to start requesting their information. That's when things are going to get interesting. It looks like, for GDPR, we are only about to enter Phase One.

For additional insight from the Tech Helpline experts, check out these articles:

• Tech advice: What do you do if you do the wrong thing?
• Knowing What These Tech Buzzwords Mean Could Save Your Real Estate Business
• How can you make your data safe?
• Don't get caught by the phishing hook

Tricia Stamper is Director of Technology at Florida Realtors®. Florida Realtors owns both Tech Helpline and Form Simplicity.