PropTech Corner
By David Trepp
There’s No Avoiding GDPR for CRE Companies.
The European Union (EU) General Data Protection Regulation (GDPR) is the first of a new generation of
sweeping privacy and security standards that Commercial Real Estate (CRE) organizations cannot ignore.
Even if your CRE company operates solely in the U.S., a large fraction of property owners, managers, realtors,
contractors, et al handle data on EU citizens, whether you know it or not. GDPR has a broad definition of
what constitutes personal information that goes far beyond just EU resident employees and direct customers.
Information protected under GDPR that you may not think about includes:
• trade shows where EU resident attendee registration information is shared with you by the trade show
vendor,
• the company website that probably collects “cookie” information from visiting EU citizens’ browsers,
• marketing materials that you email to EU residents,
• parking and other concessions that collect almost any type of identifying information,
• and the list goes on.
While it’s still unclear how GDPR will be enforced for U.S. companies, fines are steep and firms of all sizes
are taking notice. For example, Facebook recently suffered a data breach and promptly submitted a GDPR
breach notification to an Irish watchdog group.
https://www.bankinfosecurity.com/facebook-submits-gdpr-breach-notification-to-irish-watchdog-a-11573
This swift, voluntary action by Facebook indicates that even behemoth U.S. technology companies are
making sure not to run afoul of GDPR. Your CRE company cannot afford to do otherwise. n
David Trepp, partner in BPM’s Information Security Assessment Services Practice, has led over 1,200 information security
penetration test engagements for satisfied customers across all major industries throughout the United States and abroad. Contact
David at [email protected] or 541-687-5222.
16
BPM Real Estate Insights