On May 25th, 2018 the EU’s new General Data Protection Regulation (GDPR) will take effect. This is a wide ranging update to the current Data Protection Act to make it fit for purpose for the current digital age. GDPR will apply to all UK businesses irrespective of Brexit.
We have provided tools to help you get ready for GDPR where relevant. This email summarises the key changes that have been made recently.
The changes can largely be grouped into two areas, Consent and Data Retention:
Post GDPR, consent is one of the key bases for processing personal data. Depending on the circumstances other legal grounds may be more relevant (eg a contract or legal obligation), however if you are relying on consent (for example to send marketing emails related to non-core services) you must obtain freely given, specific, informed, and unambiguous consent from your contacts. To this end we have updated our contact registration forms to include more granular checkboxes for opt-in consent, and editable sections that explain how and why you are using the data along with a detailed audit history of what consent was given, when and how.
If you decide you need to collect GDPR-friendly consent from your existing contacts we will be providing new bulk email templates for you to send requesting that they update their preferences online via new public facing forms. These same forms also meet the requirement for you to provide contacts with the right to easily specify and update permissions (by, for example, allowing them to quickly opt into or out of receiving certain content). Links to these will automatically be included in all marketing emails sent from the system and the link to the contact's consent form will be included in the Excel export of contacts so that you can merge this into any external email marketing platform you may use for newsletters (eg Mailchimp).
Going forwards, by default, any bulk emails sent from the contact index pages on the system will only go to contacts who have given consent to receive additional marketing emails. If you are sending an email that you believe you have other grounds to send then you will be able to include all selected contacts via a tickbox.
The following help articles provide more information:
Configure your 10ninety system to collect consent post GDPR
How do I identify applicants who are currently receiving automated new property alerts?
How do I identify contacts who have not updated their consent?
How do I identify contacts who have opted out?
Under GDPR, you must be able to justify why you are holding information about someone and the data should not be kept longer than necessary. For example, for contacts involved in a sale, six years may be reasonable as it is the limitation period for someone to bring a legal claim; for lettings, seven years or more for financial records, due to possible tax enquiries.
We have introduced data retention settings which allow you to define how long you would like contacts to remain on the system for (for example, 7 years for contacts related to a letting versus 6 months for someone who simply registered with you looking for a property). In conjunction with these settings there are new bulk delete actions to remove contacts that you no longer need to keep based upon these settings. When you delete someone their personal information is removed from the system and cannot be undone. Please remember that GDPR also applies to other sources of data you may have stored outside the system such as manual filing systems, paper records and emails.
The following help article explores this in more detail:
10ninety & GDPR