Q&A: Bisnow’s Nick Castleman On How GDPR Will Impact CRE
On 25 May, General Data Protection Regulation will be in effect throughout the European Union. One of the most significant changes in online data privacy in the past decade, GDPR imposes restrictions on how companies can store and use the personal information of clients. The regulations extend to non-European companies conducting business in the EU or engaging with EU customers.
For commercial real estate, an industry with global reach, GDPR’s impact on how companies handle everything from property transactions to investor data has yet to be fully explored.
Bisnow sat down with its director of U.K., Nick Castleman, to discuss how GDPR will impact commercial real estate, what companies can do to ensure they are compliant and the ways Bisnow is helping select partners prepare for the coming regulation.
Bisnow: How has GDPR been received within CRE?
Castleman: GDPR goes into effect on 25 May, and it’s been the talk of the town. Across the U.K., I’ve been speaking with clients and business contacts in commercial real estate who haven't figured out how the new rules will impact the way they do business.
Bisnow: What sort of data does the CRE industry store on clients?
Castleman: GDPR is intended to give individuals in the EU more control over their personal data. That includes information that the CRE industry stores — sometimes without realizing it. This includes lists of clients, their emails, phone numbers and maybe even their net worths. CRE companies can also have international reach, which complicates GDPR compliance. As developers invest around the globe, they are transferring property and transaction data across offices. This must be done securely. CRE companies need to be proactive about updating their policies and internal regulations.
Bisnow: Much of the public focus is on how GDPR will change the way businesses send emails. How can CRE companies still communicate with clients while staying GDPR-compliant?
Castleman: The public conversation around GDPR has focused on the belief that businesses need consent to email clients. While this is true for the most part, there are notable exceptions, especially for B2B businesses. GDPR includes six “lawful bases,” or rationales, for why companies can reach out to individuals. It’s important for businesses to know if they have a lawful basis for why they’re emailing clients. At Bisnow, our lawful basis is “legitimate interest.” We provide networking opportunities and news content related to the real estate industry. Everyone we communicate with is in a real estate-related field and can benefit from our content.
Bisnow: Beyond changes to email marketing, what else do businesses need to consider?
Castleman: GDPR affects companies’ legal terms, data security and internal protocols, among other issues.
The first step businesses need to take is to have a clear understanding of GDPR. It’s important to work with a data security professional to make sure you have the legal language and documentation to protect your business intentions.
Bisnow was able to establish a “legitimate interest” claim, but other businesses may not fall under a clearly defined legitimate basis, putting their client communication strategy in jeopardy. Businesses also need to take stock of where sensitive data is stored across the company, who can access it and how it is shared within the organization.
Bisnow: What did Bisnow do to get ready for GDPR?
Castleman: It has been a continual process. To start, we worked with consultants and lawyers to audit our data security and give us recommendations on protocols and transparency. That included the appointment of a data protection officer, which all companies are now required to do. We’ve also been training our own team to make sure they know how to keep our data secure. We then confirmed that all 32 technology partners we work with — from the server that hosts our website to the chat tools we use to communicate with our global team — are GDPR-compliant. That is important because under GDPR, we would be responsible even if one of our data processing vendors experienced a breach.
Bisnow: What steps do businesses need to take to become GDPR-compliant?
Castleman: Talking to a professional data protection specialist is the best starting point. Since GDPR is vast and its implications are not yet clear, it’s vital that companies take a proactive approach to compliance and have initial conversations before the legislation goes into effect on 25 May. At Bisnow, we’re keenly aware that our role in the CRE industry positions us to help others, so we’re inviting sponsors and partners to reach out to us with questions for our data team. We’re holding individual consultations so that once GDPR takes effect, the industry is ready.
