The Robinson Jackson Group - Training: GDPR Staff Guidance

GDPR Staff Guidance

Updated: June 2023

This document is designed to run in tandem with the compulsory online GDPR Awareness Training for all staff.

Other documentation and policies to read include RJ Group Staff Handbook, Privacy Policy and Data Protection Policy.

What is it? – The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world.

Who does it impact? – Though it was drafted and passed by the European Union (EU), it imposes obligations onto organisations anywhere, so long as they target or collect data related to people in the EU.

When did it come into force? – The right to privacy is part of the 1950 European Convention on Human Rights. From this basis, the European Union has sought to ensure the protection of this right through legislation. The GDPR entered into force in 2016 after passing European Parliament, and as of May 25, 2018, all organizations were required to be compliant.

What are the penalties for violating GDPR? – The GDPR will levy harsh fines against those who violate its privacy and security standards. There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages.

What information does the GDPR apply to? – The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. Lawful basis for processing data – There are six lawful basis in which it’s legal to process personal data, a guide to these can be found further on in this guide.

7 Key Data Protection Principles - If you process data, you must do so according to seven protection and accountability principles. These are detailed further on in this guide.

What are data subject rights? – One of the aims of the General Data Protection Regulation (GDPR) is to empower individuals and give them control over their personal data. The GDPR has a chapter on the rights of data subjects (individuals), detailed further on in this guide.

What are the rules on security under the GDPR? – The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.

What is Personal Data?

Guidance on different types of data and how they apply within GDPR legislation

Not Personal Data:

Data from which it is not possible to directly or indirectly identify an individual:

Personal Data:

Any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier:

• Address without a name.

• A generic email address such as info@company.com or company@hotmail.com, unless you hold it on a database as being the email address of a specific named contact.

• A receipt with date, time, last 4 digits of credit card but no name or email address

• Corporate accounts with summary payroll data.

• Company name – if it is not the name of an individual it can be identified with.

• Website address – if it cannot be identified with an individual.

• Phone number without a name.

• Job title without a name.

• Name and address.

• Personal email address identifiable with an individual – e.g. john.smith@anydomain.com

• Name with last 4 digits of credit card.

• I.P Address – if it can be associated with an identifiable individual.

• A web cookie – if it can be associated with an identifiable individual.

• Photos or CCTV images of individuals.

• Company name – if it can be identified with an individual.

• Job title with a name.

Special Category Data:

Personal data that could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination:

• Race / ethnic origin.

• Political affiliation.

• Religion.

• Trade union membership.

• Genetics.

• Biometrics.

• Health.

• Sex life.

• Sexual orientation.

Special Category Data requires additional measures to be taken with regards to documentation and the nature of processing. This is because mismanagement of it could create more significant risks to a person’s fundamental rights and freedoms than with normal personal data.

category

GDPR only applies to personal data and special

data, however it may be possible to combine several pieces of non-personal data to identify an individual (e.g. initials and gender) so must still be handled with care and it must still be considered within our GDPR practices.

Lawful basis for processing data

Guidance on instances in which it’s legal to process personal data.

Unambiguous consent - The data subject gave you specific, unambiguous consent to process the data. (e.g. They’ve opted into your marketing email list.)

Contractual - Processing is necessary to execute or to prepare to enter a contract to which the data subject is a party. (e.g. You need to do a background check before leasing property to a prospective tenant.)

Legal obligation - You need to process it to comply with a legal obligation of yours. (e.g. You receive an order from the court in your jurisdiction.)

To save someone’s life - You need to process the data to save somebody’s life.

Public interest - Processing is necessary to perform a task in the public interest or to carry out some official function. (e.g. You’re a private garbage collection company.)

Legitimate interest - You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.

7 Key Principles

Overview of practices for the processing of personal data.

We must process data according to the key principles outlined in Article 5.1-2:

1. Lawful, transparent and fair

• Lawful - We must have a valid lawful basis in order to process personal data.

• Transparent - It must be clear to the subject as to how their data will be processed.

• Fair - Processing must match how it has been described to a data subject and not have any hidden tricks.

2. Data accuracy – We must take steps and implement processes to ensure personal data is accurate and, where necessary, stored in a way that allows a user to update or delete the data themselves (securely).

3. Purpose limitations – Personal data can only be obtained for specified, explicit and legitimate purposes. Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent (with some exceptions).

4. Integrity and confidentiality – Process personal data in a manner that ensures appropriate security and protection against unauthorised or unlawful processing, as well as accidental loss, destruction or damage.

5. Storage limitations – Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

6. Data minimisation – Process personal data only when it is adequate, relevant and limited to what is necessary for the purposes for which they are processed.

7. Accountability – We must be able to demonstrate compliance with the other principles. It’s not enough to comply, you must be seen to be complying. The range of processes that organisations must put in place to demonstrate compliance will vary depending on the complexity of the processing.

Data Subject Rights

Overview of rights for Data Subjects.

1. Right to be informed – Provide the personal information of the Data Subject if requested.

2. Right of access – Provide access to the data belonging to Data Subjects upon request.

3. Right of rectification – Allow the Data Subjects to correct inaccurate information or provide corrected data.

4. Right to erasure – ‘Right to be Forgotten’, data must be deleted if requested or if there are no legitimate grounds for storage.

5. Right to restriction of processing – Impede the processing of personal data if non-compliant practices are in operation.

6. Right to data portability – If a Data Subject request the data to be returned, it must be easily transferable and usable.

7. Right to object – Provide the option to object processing of personal data and produce a quick response to demonstrate legitimate grounds.

8. Automated decision making – The right for Data Subjects not to be subject to a decision made by automated means.

IT Security & Data Access

Guidance on the security obligations surrounding personal data under GDPR.

The security principle goes beyond the way you store or transmit information. Every aspect of your processing of personal data is covered, not just cybersecurity. This means the security measures you put in place should seek to ensure that;

• The data can be accessed, altered, disclosed or deleted only by those you have authorised to do so (and that those people only act within the scope of the authority you give them).

• The data you hold is accurate and complete in relation to why you are processing it.

• The data remains accessible and useable, i.e. if personal data is accidently lost, altered or destroyed, you should be able to recover it and therefore prevent any damage or distress to the individuals concerned.

Applicant Registration

All records – Applicants, Vendors, Tenants & Landlords should go onto REAPIT

Shred paper registration forms, once added to Reapit.

Only collect information that is essential and enter it all onto REAPIT.

Do not record any sensitive information e.g. Children’s names, school’s and ages.

Load each customer’s information onto REAPIT under their own contact record.

Let customers know you will add them to our database.

Depending on the nature of the enquiry, inform customer that you will stay in touch.

Once registered, send a property match or a ‘no contact’ email.

All Reapit emails include a link to our privacy policy and this disclaimer; “In order to deliver the best possible service, your details are saved to our database.”

If the applicant makes an offer on a property it MUST go onto Reapit. This will prevent their record being accidently erased in the future.

Scan all photocopies of ID onto Reapit and shred paperwork.

Lock all paperwork away in the evening and store day books securely.

Use the ‘tasks’ or ‘messages’ function in REAPIT to share personal information with other staff. If you prefer to use email, please delete them once actioned.

Removing Customers from Reapit

If you think a customer could become a potential client, then make every effort to keep their records on REAPIT, in case they wish to use our services in the future.

“Take me off your books, I’m no longer looking – unsubscribe me!”

a. Visit www.robinson-jackson.com/unsubscribe

1.

b. Enter their email address and submit.

c. If necessary, archive the applicant in Reapit.

The email address entered will be removed from our website’s mailing list, plus any associated applicants will be marked as inactive on Reapit, which will stop them receiving matches.

Watch out: Applicants can unsubscribe themselves, so keep on top of your applicant lists, as they will not be automatically archived.

2. Consent Denied 3. Erasure Request

“I do not wish to be contacted in the future!”

a. Complete Step 1 above.

b. Open the contact record/s.

c. Mark the contact/s as ‘Consent Denied’.

d. Archive record/s.

Watch out: Do not contact them unless they request to be reinstated.

“Erase, delete or remove me completely from your database!”

a. Verify the customer is who they say they are. E.g. Phone / email.

b. Complete steps 1 and 2 above.

c. Send erasure request to Tala. tala.hedges@robinson-Jackson.com

Watch out: If the customer has been involved in a transaction or made an offer, we will need to keep their records on file and cannot erase them.

FAQs - Referrals & Requests

Can I still refer customers to Cook Taylor Woodhouse, Financial Services etc.?

Yes. Continue to use the referral button on Reapit. It has always been mandatory to ask whether it is okay to refer customer’s contact information, please continue to do this. There is a pop up on REAPIT to confirm you have asked the question.

Can I refer customers to other suppliers not in the referral panel?

It is recommended that you provide the company’s information to the customer, for them to approach the supplier directly.

When updating customer records, what do I need to do?

1. Please verify the customer before making changes to personal information.

2. Update customer’s information on both REAPIT and any paper records.

3. If information has been shared with a 3rd party, update them of any relevant changes.

Watch out: If you haven’t spoken with a customer in a while, please check info is up to date.

A customer wants to know what information we hold?

1. Please verify the customer is who they say they are.

2. Send request to Talatala.hedges@robinson-Jackson.com

A customer has asked me to send their data to another agent?

This is known as the right to ‘Data Portability’ and is mostly used by banks, mobile phone companies etc. It’s unlikely to happen in estate agency. If you are asked to move someone’s personal data, then send the request to Tala tala.hedges@robinson-Jackson.com

A customer doesn’t want contact until [date], what do I do?

You should honour this request and not contact them until the requested date. To restrict processing till the customer’s requested date;

1. Mark the contact as ‘Inactive’ and ‘Consent Denied’

2. Enter next call date, call reminder and / or a task, for the date requested

3. Add an alert in the REAPIT contact screen, informing staff to NOT archive the record.

FAQs - Security

How do I verify a customer is who they say they are?

1. Ask a question only they would know the answer to, e.g. email, address, phone number.

2. If in doubt, call them back and/or ask the customer to email you.

3. If you are still in doubt, refer the customer to your manager.

There is a lot of paperwork in the office, is this okay?

It is your team’s responsibility to limit the amount of paperwork containing customer’s personal information. If you are worried, please speak with your manager. To help limit paperwork remember to;

• Shred applicant registration forms / ID once added to Reapit.

• Do not leave day books / paperwork on desks unless in use, ensure filed and locked away.

How do I report a security breach e.g. stolen Surface Pro?

A security breach is when customer’s personal information is lost, stolen, deleted, disclosed, altered or accessed without authorisation. If you believe this has happened please contact Tala immediately on 020 3904 9944 / tala.hedges@robinson-Jackson.com

Is my computer secure enough and loaded with anti-virus software?

• REAPIT and your PC should be password protected and these should be regularly updated.

• Use a lock out screen saver which activates after 5 minutes.

• Ask your manager if your PC has the latest anti-virus software.

• Delete extra saved copies of ID or personal information on devices such as; Camera memory cards, Scanner folder on the PC, Microsoft Outlook emails.

• If you do not know the 3rd party you are sending personal information to – don’t send it. Always check with your manager.

FAQs - Referrals & Requests

Another agent / solicitor called for a chain check; can I give out personal information?

Yes. Our Privacy Policy informs customers that we will share their information with providers such as Solicitors / Conveyancers, Surveyors, Financial / Mortgage Advisors and other estate agents in a chain, in order to process their transaction.

Before divulging customer data ensure you are satisfied the person requesting the information is who they say they are. E.g. Ask them to confirm our vendor or purchaser’s name, which they should know if they have been viewing with them or selling a property through them.

It has never been advisable to share personal client emails with anyone other than the acting solicitor. Agents one removed from your immediate transaction shouldn’t be contacting our customers directly.

What do I need to consider now when emailing?

If copying customers into progression emails, ensure their email addresses are in the BCC (Blind Carbon Copy) field, this means that they will not see the email address of other parties.

Do not refer to our vendor or purchaser by name, instead use ‘our client’ or ‘our purchaser’.

Do not email the public directly if they are not associated with the immediate sale/purchase. It is advisable to go through their solicitor or agent, unless they have contacted you directly and has explicitly asked for updates.