With Real Estate being firstly about bricks and mortar, you’d be forgiven for thinking that data protection wasn’t really a huge concern for the sector. However, with the introduction of more significant fines under the GDPR when it came into force back in May 2018, data protection has become a mainstay in regulatory compliance across all business sectors. There is of course more to the GDPR (and now that we’ve left the European Union, to be precise, the UK GDPR) than the possibility of hefty fines, but they certainly help to focus the mind.
In a series of Real Estate focused data protection alerts, we’ll provide brief updates in the areas of data protection compliance that are most relevant to you. But, to kick off, we will look at a round-up of some of the more recent data security breaches and enforcement action.
Data retention, whilst not the most exciting topic, is a key area of focus for enforcement activity. Looking across to France, the French Data Protection Authority (CNIL) issued a fine of
€400,000 to a French real estate service provider, SERGIC, regarding failures in two areas: firstly, a failure to implement appropriate security measures which allowed users of its rental web portal to access other individuals’ data such as ID cards, account statements and financial information, and secondly, inappropriate retention periods for data relating to unsuccessful rental candidates. Data retention was also the focus of the Berlin Commissioner for Data protection and Freedom of Information, when it issued a much more significant fine of €14.5 million to a real estate company that retained personal data relating to tenants using a system that did not allow data to be erased when it was no longer required.
The message is clear: now would be a good time to declutter and get rid of any data that is no longer necessary.
Turning to the ICO’s recent enforcement action in the UK, a couple of cases are of particular interest because they could just as easily occur in the Real Estate sector.
The first involved two individuals who were prosecuted by the ICO in January 2021 in relation to the unlawful disclosure of personal data of customers. The prosecution could just as easily have involved an employee of an estate agency taking client details to a rival firm. In a similar vein, an employee of Morrison’s wrongfully disclosed personal data relating to Morrison’s staff, which ended up in a Supreme Court case in 2020. The Supreme Court confirmed that, whilst on the facts of that case Morrison’s was not vicariously liable for the employee’s actions, there might be other cases where employers could be held vicariously liable for breaches of data protection and other related laws. Misuse of personal data is of course a challenge for all companies and employers, but there are steps you can take to protect your business, including effective employee vetting procedures, raising cultural awareness amongst employees, and policies which clearly articulate employee obligations.
Despite first impressions, these cases are just a few examples which illustrate that data protection compliance is a real issue for the Real Estate sector as with any other sector.