General Data Protection Regulation
In the UK, the General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998 (DPA) with the same law that will apply to all 28 EU member states from the same date. The Government have confirmed Brexit will not affect the commencement of the GDPR in the UK.
GDPR was adopted on 27th April 2016 but becomes enforceable law from 25th May 2018 with potential heavy fines for companies that do not comply. We have developed Acquaint to include tools to help you comply with these regulations; this development is just part of what you will need to do as a company, full details of which can be found on the ICO website.
The six principles of GDPR
Personal data shall be:
1. Processed lawfully, fairly and transparently
2. Collected for specified, explicit and legitimate purposes
3. Adequate, relevant and limited to what is necessary for the processing
4. Accurate and kept up to date
5. Kept only for as long as is necessary for processing
6. Processed in a manner that ensures its security
The GDPR not only sets the rules for how to collect consent, but also requires companies to keep record of these consents. For Contacts to be kept on a Mailing List you need to be able to demonstrate auditable consent via an opt in, confirmed log of verbal consent or be satisfied as a company you are marketing to contacts under ‘Legitimate Interest’.
Contacts that have opted out of receiving marketing material can still be sent transactional communications. i.e. a tenant who has opted out of all marketing communication from you can still be emailed regarding work orders or overdue rent.
Contacts can also request the right to erasure, also known as the “the right to be forgotten”. This principle enables an individual the right to request the deletion of personal date where there is no compelling reason for its continued processing.
There are some specific circumstances where the right to erasure does not apply and you can refuse to deal with a request.
Register (notify) under the Data Protection Act
Under the current Data Protection Act 1998 (DPA), organisations that process personal information are required to notify with the ICO as data controllers (unless an exemption applies). This involves explaining what personal data they collect and what they do with it. If you are not already registered with the DPA read more here.
Get ready
As an agency owner, you will need to ensure you are fully compliant. The transition period gives you plenty of time to prepare. Some practical steps you can take are to understand what personal data you hold, review your 3rd party relationships, document your processing activities and apply technical and organisational measures including your policies and procedures covering data protection, information security and data breaches.
Acquaint gives you the tools to help you be GDPR compliant but ultimately it's your responsibility to check your consent practices and your existing consents. Refresh your consents if they don't meet the GDPR standard.
What tools are in Acquaint to help me comply and how can I use them?
When adding a new Contact
Although Acquaint already has Marketing Preference options per Contact, Version 12 contained new functionality to help you adhere to GDPR:
Registration emails from portals – you can still import contact information from portals via the ‘Outlook Emails’ button. The portals you subscribe to are responsible for their own GDPR and will have only sought consent for you to contact the client with the specific information they have requested. You should then seek your own consent to contact them with further information. This can be achieved in three ways:
1. Legitimate Interest - As a company you can decide you are satisfied you are compliant using ‘Legitimate Interest’ to send property particulars. If this is the case this can be switched on in your configuration. When you send email particulars from Acquaint using the matching functions this will allow the contact to update their preferences or unsubscribe.
2. Gain verbal consent- when a contact registers over the phone or in person you can ask them if they are happy to receive property details by email, if they are you can ‘tick’ the emailing list confirmation on their correspondence, this will also automatically create a log file in Acquaint that verbal consent was sought and confirm together with the User and the date and time. When you then send email particulars from Acquaint using the matching functions this will allow the contact to update their preferences or unsubscribe.
3. Double opt-in of Marketing Preferences - new Contacts can confirm their marketing preferences (Telephone, Email and Post) via an automated email which will send them to the same link on the footer of your marketing emails. It is also possible to bulk send these confirmations to existing Contacts. For example you may want to re-confirm the Marketing Preferences for everyone in your database.
Marketing
Getting Consent
When saving a new Contact a prompt is displayed asking whether you want to send a Marketing Preferences email to them. The prompt will only appear if the Contact has an Email address stored against their record.
When adding a new Contact the Marketing Preferences options in the Correspondence screen are switched off by default and cannot be manually ticked on unless Verbal (oral) consent is confirmed, however once ticked they can be manually ticked off.
Marketing Preferences can only be turned on by the client selecting the preferences in a Marketing Preferences email or by a User manually ticking them and confirming Yes that verbal consent has been provided.
How it works
Marketing Preferences Confirmation via Email/SMS Text
When adding a Contact with an email address the GDPR prompt will appear.
Clicking Yes will send an email to the Contact with a web link to a page where they can maintain their Marketing Preferences. This email will be stored against the Contact's Correspondence screen and the Preferences Request Sent Date field stores the date this was sent. Alternatively, you could send this as a SMS Text.
For GDPR Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. (Source: ICO)
You can send this Marketing Preferences email/SMS text at any time not just when adding the Contact. Simply go to the Contact and click Email icon and select the Marketing Preferences email.
Marketing Emails sent from Acquaint include an option to 'Unsubscribe or update my marketing preferences' this gives the Contact the ability to Unsubscribe or update their preferences at any time.
When a Contact enters their Marketing Preferences online and submits them they are automatically imported into Acquaint (on a 30 minute schedule). The Contact Marketing Preferences will show dates for Request Sent and Confirmed.
Verbal (oral) Marketing Preferences Confirmation
When editing a Contact and ticking any of the Marketing Preferences options, a question is displayed asking if the Contact has given "clear verbal consent". If "yes" then they can then continue ticking/unticking all of the other options.
When the Contact is saved an Event Log record is created for the GDPR audit.
Visual Warnings
A visual indicator appears on a Contact's screen to show whether they can be called, emailed or send SMS texts. A small red circle appears next to the Telephone / Mobile fields of the Contact screen if "Telephone List" is not ticked and a telephone number is present. A tooltip reads "Not subscribed to marketing calls" is displayed if you hover your mouse over the red circle.
For Emails / SMS Texts, when selecting a Template, a check is made to see if it is a "Marketing" Template and warns if the Contact does not have Emailing List / SMS Text List ticked.
A reminder appears on the Contact's page of the Home Page for "Recently Confirmed Marketing Preferences". This can be configured in
System Configuration → Contacts → Marketing Preferences Confirmed Home Page Reminder (days). Which defaults to 7 days.
Existing Contacts
Legitimate Interest - ‘Soft opt-in’.
To read the full document from the ICO see this link ICO Marketing Guidance Extracts of guidance as follows:
Although organisations can generally only send marketing texts or emails with specific consent, there is an exception to this rule for existing customers, known as the ‘soft opt-in’. This means organisations can send marketing texts or emails if:
• they have obtained the contact details in the course of a sale (or negotiations for a sale) of a product or service to that person;
• they are only marketing their own similar products or services; and
• they gave the person a simple opportunity to refuse or opt out of the marketing, both when first collecting the details and in every message after that.
So if your database includes Contacts whose permissions haven’t been collected according to the GDPR’s standards, or if you can’t provide sufficient proof of consent for some of your Contacts, you might not be allowed to send marketing emails to those subscribers any more.
If you have previously sent the contact property particulars from Acquaint via the ‘Matching’ facilities they will have been given the option to ‘opt out’ as above via the unsubscribe/update their preferences link at the bottom of these emails.
Further information is available via https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/
All future marketing emails you send must have the option to unsubscribe/update preferences.
A new screen allows the resetting of existing Contacts Marketing Preferences, and an easy way to bulk send out Marketing Preferences.
Accessed via Under File → Admin Tools → GDPR Marketing Preferences clicking the Reset button will clear ALL Contact's Marketing Preferences. Once completed you can send them all the Marketing Preferences Email in bulk by clicking the Send Marketing Preferences Email.
If you perform this again it will resend the email to Contacts whom have previously been sent the email but not yet responded by confirming their preferences.
Marketing and Transactional Email, Letter and SMS Types
There are two types of Email and SMS communication in Acquaint Marketing and Transactional. Contacts that have opted out of receiving marketing material can still be sent transactional communications. i.e. a tenant who has opted out of all marketing communication from you can still be emailed regarding work orders or overdue rent. Definitions as follows:
Marketing Email/Letter/SMS - any communication that primarily contains a commercial message or content intended for a commercial purpose is considered a marketing. Marketing communication is generally sent to groups of contacts that are prospects or customers. For example, a Property Bulletin or Property Details.
Transactional Email/letter/SMS- any communication that is intended to be purely informative, that contains information that completes a transaction or process the recipient has started with you and contains no commercial message. Transactional emails/letters/SMS Texts are mostly sent to individuals rather than a large list of recipients. For example, instructions to a Tenant on how report maintenance issues.
IMPORTANT It is your responsibility to ensure you select the right email/letter/SMS type for the communication you are sending. Sending a marketing message in transactions email/letter/SMS could result in your business being fined.
Anonymising
An option is provided to Anonymise Contact details for GDPR compliancy. Under GDPR your Contacts can request the right to erasure, also known as the “the right to be forgotten”. This principle enables an individual the right to request the deletion of personal data where there is no compelling reason for its continued processing. If a Contact makes a request to you for their details to be forgotten you can optionally use this function to anonymise their data.
Find out how to anonymise a Contact by reading the Anonymise topic.
When can I refuse to comply with a request for erasure?
You can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
• to exercise the right of freedom of expression and information;
• to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
• for public health purposes in the public interest;
• archiving purposes in the public interest, scientific research historical research or statistical purposes; or
• the exercise or defence of legal claims.
Source: ICO Right to erasure
Reporting
Report filters are available for "Contact - Marketing Preferences Sent Date" and "Contact - Marketing Preferences Confirmed Date".
"Marketing Preferences Consent" and "Marketing Preferences Verbal Consent" events are written to the Event Log.
Following up Marketing Preferences requests/non-responders
Once you have sent the Marketing Preferences you may want to resend or report on them to the people that haven't confirmed their Marketing Preferences.
Use the following criteria which can be done as following:
In More click Reports select in the Type of report select Contact and then Contact List.
Click Add to add a filter of Contact Marketing Preferences Confirmed Date: Include 01 January 1900 To 01 January 1900*.
Optionally, click Add to add a Filter of Contact Email Address Exclude this will exclude anyone that doesn't have an email address.
Save the criteria by clicking Save Macro and the filters will be saved for future use.
Subsequently, you can bulk resend the Marketing Preferences email by changing the Type of Report to Emails (bulk sending) and send them using the criteria you selected above.
* This means where there is no date
Use additional report filters to target specific groups of people to such as just your Vendors or Landlords
Adding an email address to a Contact that does not currently have an email address saved will activate the GDPR prompt.
A Marketing Preferences SMS Text Template for requesting Marketing Preferences is also available.
If someone sets all their preferences as off their status is changed to Expired, if their preferences are set on their status will be changed to Current if it isn't already.
Since Tenant Shop relies on the Marketing Permission for Pass Details to 3rd Parties being ticked. If Tenant Shop is invoked in System Configuration, when the Tenancy is saved the Pass Details to 3rd Parties will be automatically ticked against the Tenant. It is advised your Tenancy Agreement contains a clause that states the Tenant's details will be passed to Tenant Shop. A Tenant Lead will be sent when the start date of a Current Tenancy is within 14 days. This is essentially introducing the Tenant to Tenant Shop. Note: Pre -Tenancies will be excluded.
Useful Links
If you are not already registered with the DPA read more here.