What does GDPR regulation mean for the proptech industry?

There’s no denying that the property technology, or ‘proptech’ industry, has grown astronomically in the past few years. At its core are the key players, some that have been in the game for as long as 40 years, but at the periphery we’ve witnessed a significant growth in the diversity of the field – from data analysis to lending and investment, property management to conveyancing and online agents. Their purpose? To simplify the market for the consumer. Proptech services are underpinned by the need to make services cheaper and more intuitive through the use of technology. Convenience and speed is king, especially for busy millennials now reaching property-buying and renting age, and traditional real estate services are increasingly having to cater to this need.

Synonymous with innovation, proptech is no longer just associated with young start-ups. Industry giants have cottoned on to the trend, and in a bid to stay ahead of the curve in a competitive industry, property technology now sits firmly in the mainstream. With this explosion comes a huge amount of data to oversee – the arrival of ‘big data’ as a term used in everyday conversation is testament to this. No longer are we merely dealing with ‘singular’ information that is explicit in its contents, but larger sets of abstract data that – with the right tools – can tell us any number of things about a given person or organisation. The advent of GDPR is a timely response to this.

The digital era and advent of big data now offers organisations unprecedented insight into their customers’ habits and preferences and allows businesses to tailor their strategy accordingly.The result of this trend is that residential, corporate and commercial property organisations today are dealing with a staggering amount of information each and every day, with most of this being highly confidential in nature. Naturally, both owners and occupiers have turned to proptech software suppliers to help manage this great swathe of information, but are these suppliers factoring in the upcoming requirements of GDPR? The need to get this in check is vital, particularly if the property technology industry wishes to continue enjoying the same success. So with the deadline looming, what can be done?

Understanding GDPR and the real estate industry

GDPR, like the 1998 Data Protection Act, specifies between ‘controllers’ and ‘processors’. A controller ultimately dictates how and why personal data is processed, whereas the processor acts on the controller’s behalf. Therefore, a proptech software provider would be a ‘processor’ to a property managers ‘controller’. GDPR now places specific legal precedents on processors which stands as a significant departure from previous standards. For example, a processor will be required to maintain records of all personal data and the corresponding processing activities related to this information. In terms of legal liabilities, processors will carry a proportion of ensuing litigation in the event of a breach. Of course, controllers will not be entirely relieved of their obligations and will continue to be liable wherever a processor is involved. In essence, a controller’s primary task is to ensure that the contracts they have with processors are compliant. So, with the burden of GDPR weighing heavily on both the controllers and processors shoulders alike, how can proptech providers best equip themselves?

Preparing the workforce

First and foremost, if they have not already, proptechs and the broader property industry must begin training their staff on the ins and outs of GDPR. This should include all staff in the business; from contractors and facilities managers to senior management and clerical support staff. Training should not only provide an outline of the requirements, but also the establishment of the appropriate policies and procedures that need to be in place in order to achieve full compliance. In addition, an assessment of how employees share information; what shortcuts do they take, and what human errors are likely to expose the company to non-compliance, will need to be conducted imminently.

But simply educating staff will not be enough. GDPR will also introduce the statutory position of Data Protection Officer (GDPR), and any organisation that carries out large-scale systematic monitoring of data subjects will legally require to employ a DPO in-house.

Evaluating company procedures

The next step is to understand your company’s obligations, current processes and identifying any gaps. A data protection audit of existing data and unnecessary data storing equipment, files and documents will be essential to ensuring compliance. A data flow audit will pinpoint where personal data is being hosted, and data centre or cloud service providers will need to be equipped for rigorous due diligence of their security measures.

GDPR will also tie together various data breach notification laws in Europe, with the aim to ensuring that organisations are rigourously monitoring for breaches of personal data. All proptechs will have to guarantee that the processes are in place to detect and respond to a data breach within 72 hours of discovering it.

Software and hardware

Cloud security experts Netskope recently revealed that 75 per cent of cloud services within businesses failed to meet the standards outlined by GDPR. The property industry is no different, and with an increasing number of organisations utilising cloud-based solutions, this figure is alarming.

Flexibility will be key, and proptechs will need to evaluate whether their software has the capacity to be configured or customised to adapt for the upcoming GDPR regulations. For example, the ‘Privacy by Design’ facet of GDPR, which stipulates that in every new product privacy is included in software and hardware by design, will prompt the reevaluation of all systems and processes within the context of compliance. Furthermore the ‘right to be forgotten’ promises to be one of the most challenging aspects of GDPR compliance. A data subject will have the right to have their personal information erased from the systems of processors and controllers, however, the capability to erase information is not something naturally built-in to software tech. Moving forward, all software will need to be designed with these challenges in mind.

With regards to hardware, removable devices such as USB’s pose a huge threat to non-compliance. Not only because they are easy to lose or steal, but also in terms of malware they can introduce to networks. Of course this is particularly prevalent for certain roles in the property sector which require a degree of mobility. For example, a sales and lettings advisor will carry their personal and corporate tech with them out and about during house visitations. To keep track, an extensive hardware assets inventory and encryption of all removable hardware will be necessary to protect valuable data outside the corporate network.

GDPR will come into effect as of 25th May 2018. From that day, the onus for data protection will transfer inexorably onto the processor’s shoulders, and proptechs will no longer have the licence to handle data without the necessary people, processes and products in place to ensure compliance. Last year, Qube Global Software invested more than 70,000 hours in research and development, and our products now have a breadth of functionality that facilitates the easy adaptation of our software for GDPR. That being said, the smallest of human errors could eradicate all these efforts.  With potential fines forecast of up to

EUR 20 million or 4% of the annual worldwide turnover, now more than ever is the time to begin exercising due diligence.


By Stuart Lee, Data and CRM Manager, Qube Global Software

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/