GDPR in the Netherlands


The the majority of real estate firms in the Netherlands are unaware of the new wide-ranging EU data protection regulations (GDPR). This was the conclusion of a recent round table meeting held in Amsterdam, organised by Remit Consulting together with software company OSRE and Lexence Lawyers. The attendees suggested that the industry can become more GDPR-proof by creating awareness within real estate firms about GDPR and having an insight towards the management of personal data.

GDPR requires all companies to demonstrate that they have control over the personal data they process, starting from May 2018. However, as revealed by the attendees, it appears that many Real Estate organisations have a lot of catching up to do and are not adequately prepared. The average score for a question about whether the sector is GDPR-proof was only 4/10.

The most important bottleneck mentioned by the attendees is that the new privacy law is not directly in line with the interests of real estate companies. The know-your-customer culture in the real estate sector requires personal data (information) to serve customers better, improve business processes and reduce risks. Consequently, as many organisations are lacking the right mind-set and approach, it is difficult to embed the new legislation in organisations because its value is simply not being seen.

It’s becoming clear that to comply with the GDPR, organisations should begin by analysing the sense and nonsense factors behind collecting and recording information. Which data do you collect for what purpose? Who has access to the information? Can you explain this to your clients and is it in line with all aspects of GDPR? Such questions provide companies with necessary insight to their current processes, in addition to raising awareness about the privacy and protection of personal data within the organisation.

Several alternative solutions were also mentioned during the discussion, including:

  • Anonymising (pseudo) personal data, so that information is no longer traceable to an individual;
  • Encrypting, or encrypting data in so-called tokens, which ensures that personal information is unreadable during a data breach;
  • The use of technologies such as block chain, to (for example) encrypt and anonymize data, or verify data without saving it;
  • The conclusion of a good (and mandatory) processor agreement with parties that process data;
  • Working within one central system, in which the access of various cooperating parties to personal data is recorded. 

According to the attendees, data, and more specifically data analytics, will be at the forefront of the real estate sector throughout the coming decade. Yet currently, there is only a small focus on data amongst real estate organisations, which will change over the next few years as the technology market expands and companies become increasingly data driven. Real Estate firms need to be more aware and prepared for these forthcoming changes by transforming themselves into data processing and GDPR experts as soon as possible.