5 Things You Need To Know About GDPR

On May 25, General Data Protection Regulation goes into effect throughout the European Union. The landmark law will force companies and consumers to focus on how data is managed and protected in the digital age.  

While the regulation protects citizens of the European Union, businesses in the U.S. and around the globe will have to evaluate their online data practices, no matter where they are based. Bisnow Director of U.K. Nick Castleman and Data Protection Officer Andrew Nathanson shared what American CRE leaders need to know about GDPR, and what Bisnow is doing to help companies prepare for the new regulation.

1. Many businesses in the U.S. will have to comply with the regulation

GDPR may be an E.U. regulation, but businesses around the world are required to be compliant if they hold or maintain the data of any E.U. resident. Having as few as one website visitor or subscriber from the E.U. means a company must be compliant with GDPR. 

For commercial real estate, an industry traditionally slow to adopt technology, many companies are unaware of how GDPR will impact their businesses. In the U.S., GDPR hasn't received significant media attention, and the full impact of its regulations is unclear. 

“Businesses in London are scrambling to get their affairs in order for GDPR, and we’ve been helping them do so,” Castleman said. “The commercial real estate industry in the States is woefully unprepared.” 

Bisnow has subscribers, ticket buyers and website visitors from the EU and the U.K. Because of the company’s international reach, preparations for GDPR at Bisnow have been in the works for nearly a year and included comprehensive security and privacy assessments. 

“CRE businesses, from the biggest brokerages to the smallest contractors, need to take stock of their data and where it lives online,” Nathanson said. “Many of these businesses haven’t realized that the electronic Rolodex they’ve spent years building now falls under the scrutiny of international regulations.”

2. CRE professionals have access to more personal data than they realize

Just as CRE businesses in the U.S. may not realize they have to be GDPR compliant, many don’t realize how much data they have. Every deal, new partnership and lease transaction leaves behind a data trail. Under GDPR, which mandates the specific ways in which a business can and can’t contact individuals for marketing purposes, companies could be prevented from reaching out to those contacts. 

“Real estate is all about people and networking,” Castleman said. “Every one of those email addresses or phone numbers you’ve collected over time could be useless without the right GDPR protocols.”

CRE professionals may also have access to sensitive banking and financial records, passports and Social Security numbers, and even data on individuals’ personal wealth, making these companies prime targets for hackers.

3. GDPR impacts how companies can market via email and other means

“Much of the public conversation around GDPR centers around its limitations when it comes to marketing, especially via email,” Nathanson said. “GDPR is more expansive than just email regulations, but it’s important that companies understand what they can do with email outreach.” 

GDPR does provide six “lawful bases,” or rationales, for why companies can reach out to individuals for marketing purposes. Bisnow’s lawful basis is “legitimate interest.” It provides networking opportunities and news content related to the real estate industry. Everyone Bisnow communicates with is in a real estate-related field and can benefit from its content. 

4. GDPR covers more than email policy

Beyond email, GDPR impacts the rights of consumers to obtain their data and choose to be "forgotten" should they wish to restrict a company's access to that information. It also lays out a list of precautions and protocols that the impacted businesses must follow to mitigate risk.

“Bisnow worked with a team of consultants and lawyers to make sure our data security and legal terms were up to date,” Nathanson said. “To follow GDPR regulations, we also had to confirm that all technology vendors we work with are GDPR-compliant since organizations are responsible even if one of their data processing vendors experiences a breach.”

Information technology teams also need to prepare their data workflows and keep logs of database changes, so they are ready for a regulator visit. Appointing a data protection officer to help manage data and prepare for these visits is now required under GDPR. 

5. International real estate investment requires different data protection protocols 

The global nature of CRE poses additional challenges for GDPR compliance. 

“Real estate is all about people, networks and doing deals," Castleman said. "When CRE players invest in projects all around the globe, that data is being transferred to different countries, often without the participant realizing it."

When sensitive data is being transferred internationally, GDPR mandates that it has to be done through secure means, like a password-protected Dropbox folder, rather than via email. 

GDPR is one of the most significant changes to online data practices in more than a decade, and its far-reaching impact has led to questions about how businesses can operate online. Bisnow is helping select partners prepare for GDPR by offering consultations and a question-and-answer session with our data protection partners.