9 MAR 2018
Due to the rapid development of online technology, the European Union is having to pay increasing attention to data handling and cybercrime. How will GDPR affect real estate professionals?
New Regulations on Data Protection will, in May this year, become applicable to give citizens more control over their personal data and make easier for companies to deal with their obligations.
From now on, you will no longer need to be aware of specific national laws: the new rules will apply consistently across Europe. This will create a level playing field with non-EU companies who will have to follow the same rules when trading in the EU market.
For instance, if your firm has its HQ in Germany and branches in 8 other EU countries, under the current rules you need to be aware of the data protection laws in 9 countries. Data collected by the branches and processed by HQ need to be sent, processed and stored in compliance with both the rules of the country where they are collected and with the those of the country where they are processed.
The European Commission estimates the costs arising from reporting requirements for a company operating in 15 countries at over €12,000. These costs will be cut by the new pan-European legislation harmonising the data protection rules in the whole EU market.
Another positive development that the new regulation brings together, is the ‘one-stop-shop’ for business that will replace the current 28 national supervisory authorities. This will ensure legal certainty for business so you can make sure that the EU regulation will be interpreted and applied consistently in each country. Moreover, companies operating in multiple counties won’t need to deal with multiple supervisory authorities but will have a single point of contact.
The General Data Protection Regulation (GDPR) foresees heavy sanctions tailored to individual cases based on the gravity and duration of the violation, the amount of data affected and the level of damage caused. Mitigating factors such as the non-intentional character of the infringement, the effort to reduce the impact of the damage as well as the degree of cooperation may help to lower the final amount.
There is a tiered approach to fines the lack of proper impact assessment may lead to penalties up to a maximum of €10 million or up to 2% of worldwide annual turnover. The higher ceiling of fines reaches up to a maximum of €20 million or 4% of worldwide annual turnover.
As in case of a fire: don’t panic. Access logs, reported thefts, lost equipment or a data security incident that involves personal data are typical situations that can involve a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of – or access to – personal data transmitted, stored or otherwise processed.
Data breaches must be reported to the national regulator but only where it is likely to result in a risk to the rights and freedoms of individuals. The test to consider is if unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
This initial report must be made within 72 hours of having become aware of it. And to clarify - these hours don’t stop for weekends and evenings. You’ll have longer to compile a full report if required but you must make the relevant local regulator aware within those first three days.
The higher ceiling of fines reaches up to a maximum of €20 million, or 4% of worldwide annual turnover.
As a professional body regulating the conduct of more than 125,000 property professionals and firms globally, we work to keep our set of standards updated with all the regulatory developments. We are therefore preparing a new professional statement on data protection and cybercrime that will help both sole practitioners and firms to comply with the new data protection regulation. Keep an eye on this website to get further updates and don’t forget to review your data protection policy according to the new European rules.