23.6 GDPR & Data Privacy Considerations (General Best Practices)

What it is:

The General Data Protection Regulation (GDPR) is a strict data privacy law originating from the EU/UK. Applicability: Even if your agency is based elsewhere (e.g., USA), GDPR rules *may apply* if you collect or process personal data belonging to individuals residing within the European Union or the United Kingdom (e.g., international clients, website visitors from the EU/UK).

Key Principles (Good Practice Everywhere):

Regardless of GDPR's direct applicability, its core principles represent best practices for data privacy and building trust globally:

  • Lawful Basis & Consent: You must have a valid legal reason (like explicit, informed consent) for collecting and processing personal data, especially for marketing purposes.
    • Action: Use clear, specific, unchecked checkboxes on Forms for consent (separate for email vs. SMS). Clearly state *what* the user is consenting to (e.g., "I agree to receive weekly property alert emails"). Record details of when and how consent was obtained. Make it easy to withdraw consent (unsubscribe).
  • Transparency & Information: Individuals have the right to know what data you collect, why, how it's used, how long it's stored, and who it might be shared with.
    • Action: Maintain a clear, comprehensive Privacy Policy on your agency website. Explain your data practices, mention key tools used (like Close Master as a processor), outline user rights, and provide your contact information. Link to this policy from your website footer and data collection points (Forms).
  • Data Subject Rights: Individuals generally have rights regarding their personal data, including the right to:
    • Access: Request a copy of their data.
    • Rectification: Request correction of inaccurate data.
    • Erasure ('Right to be Forgotten'): Request deletion of their data.
    • Restrict Processing: Request limitations on how their data is used.
    • Data Portability: Request their data in a common format.
    • Action: Be prepared to handle such requests promptly. Use Close Master features like viewing the Contact Record, editing fields, using DND settings, exporting contact data (Contacts > select > Export), and deleting contact records (Contacts > select > Delete or via record).
  • Data Minimization: Only collect personal data that is necessary for the specific purpose you identified.
  • Accuracy: Keep personal data accurate and up-to-date.
  • Storage Limitation: Don't keep personal data longer than necessary for the purpose it was collected. Define data retention policies.
  • Security: Implement appropriate technical and organizational measures to protect personal data (secure passwords, user permissions in Close Master, secure data handling).

Consult legal counsel for specific advice on GDPR or other applicable privacy laws (like CCPA/CPRA in California) if you handle data from residents in those jurisdictions.