A new European Union (EU) data protection regulation called the General Data Protection Regulation (GDPR) may affect U.S. businesses, including rental housing firms. While many businesses that do extensive business in the EU have invested substantial time and money to ensure that they are in compliance by May 25, 2018, other businesses, including U.S. apartment firms, that collect consumer data originating in the EU, may fall under the scope of GDPR and should evaluate their business operations.
GDPR is an EU data privacy and protection regime designed to give EU consumers more control over their personal data. The framework requires businesses to inform EU consumers about the data being collected and obtain consent, among other provisions. Compliance obligations are clear for businesses in the EU, but more complex for firms that operate outside of the EU, but market or interact with EU residents via the internet. If an EU citizen’s data is collected while the citizen is outside of the EU, such as for a EU citizen living in a U.S. apartment community, GDPR does not apply. But if the data is collected while the consumer is in the EU, GDPR may apply. As apartment firms evaluate compliance with the new regulations, questions for consideration include whether their internet marketing is specifically targeted to EU residents and whether they are collecting personally identifiable information on EU residents.
Since GDPR has not yet gone into effect, it is not clear how GDPR regulators will measure proper compliance. Actions taken by GDPR regulators and EU judicial decisions will inform apartment firms regarding their approach to GDPR compliance. As with any regulation that may impact apartment firms, NAA/NMHC recommend that apartment firms consult their compliance team and legal counsel to determine if GDPR applies to their operations.
NAA/NMHC will continue to monitor GDPR implementation and its possible impact on apartment firms. Additionally, NAA/NMHC provide a variety of resources to help secure a firm’s data and bolster its overall cybersecurity posture, which can be found at www.nmhc.org/data-security. Example resources include an industry white paper on cyber security best practices, valuable cybersecurity tools from the Federal Trade Commissionand a sharable guide to “Social Engineering Red Flags,” which can help educate employees about cyber pitfalls.
Additional resources relating to GDPR can be found at:
- NYU’s Program on Corporate Compliance and Enforcement
- GDPR FAQs
- Yes, The GDPR Will Affect Your U.S.-Based Business– Forbes
- What is GDPR? Everything you need to know about the new general data protections - ZDNet