Purpose of this factsheet
The GDPR (General Data Protection Regulation) came into effect on 25 May 2018. It changes, updates and extends the scope of data protection law across the whole of the EU. There are many helpful guides as to the general requirements, including those provided by country regulators.
These factsheets have been developed by DLA Piper in collaboration with RICS to give professionals more insight into the specific ways in which GDPR will impact their business.
This factsheet addresses the particular issues facing the building surveying business. We have a range of other factsheets tailored to the business needs of other professionals, which you can access here.
Key features of the GDPR
The main areas for firms and individual professionals to address can be summarised as follows:
- Processes and controls
- Enforcement and fines
- Data subject rights
- Ongoing nature of obligations
You must be clear with your clients, marketing prospects, sub-contractors and employees about:
- What data you're going to collect and use
- Why you need this data - the purposes for which you need to process the data
- How you're going to process the data and in which countries will data be processed
- Whether you need to transfer the data to third parties
You must have clear, updated notices for all the relevant groups of people whose data you use. These notices must be easily found and always available and you must notify people appropriately of the existence of these notices (e.g. on your website, with your terms and conditions, at a sensible stage in any online purchasing process, and embedded in your HR recruitment processes).
- Demonstrate that you have a clear view of the data flows across your entire business.
- Identify the lawful basis for processing data in each case. For example:
- to fulfil contractual obligations
- to satisfy a legal requirement
- legitimate interests
- If you are relying on consent, demonstrate it was freely given and is capable of being withdrawn.
- For individual RICS professionals within firms, you will be able to rely on the firm processes and governance, provided you have reasonably satisfied yourself that it is being conducted in a diligent and compliant way.
Processes and controls
- Governance Framework: you need to manage your compliance. This will include setting policies, running training and the potential appointment of a Data Protection Officer (DPOs): For example, if a significant proportion of your work is for local government, or other authorities, you should consider voluntarily appointing a DPO.
- Privacy by design: you should incorporate a stage into your decision-making process to assess whether there will be any significant data aspects to new projects, systems or processes and, if so, evaluate what that impact will be.
Enforcement and fines
- Regulators have a mandate to enforce compliance with the GDPR and greater enforcement rights. For example, regulators may impose a large fine of up to the greater of €20 million or 4% of annual global turnover in the event of particularly harmful breaches.
Data subject rights
- You need to have processes in place to change or update data on request.
- Individuals may request a copy of the data you hold on them at any time. You should ensure you have systems in place which can identify, retrieve and securely deliver responses to any requests.
Ongoing nature of obligations
- Compliance with the GDPR is best achieved when it is adopted by the executives of your organisation and disseminated downwards. Depending on the focus of your business, your surveyors and marketing executives will all need training to enable them to take responsibility for data security and management and to adopt good practice in how they carry out their roles.