A new European Union (EU) data protection regulation called the General Data Protection Regulation (GDPR) may impact U.S. businesses, including multifamily firms. While many businesses that do extensive business in the EU have invested substantial time and money to ensure they are in compliance by May 25, 2018, other businesses, including U.S. apartment firms, that collect consumer data originating in the EU, may fall under the scope of GDPR and should evaluate their business operations.
GDPR is an EU data privacy and protection regime designed to give EU consumers more control over their personal data. The framework requires businesses to inform EU consumers about the data being collected and obtain consent, among other provisions. Compliance obligations are clear for businesses in the EU, but more complex for firms that operate outside of the EU, but market or interact with EU residents via the internet. If an EU citizen’s data is collected while the citizen is outside of the EU, such as for a EU citizen living in a U.S. apartment community, GDPR does not apply. But if the data is collected while the consumer is in the EU, GDPR may apply. As apartment firms evaluate compliance with the new regulations, questions for consideration include whether their internet marketing is specifically targeted to EU residents and whether they are collecting personally identifiably information on EU residents.
Since GDPR has not yet gone into effect, it is not clear how GDPR regulators will measure proper compliance. Actions taken by GDPR regulators and EU judicial decisions will inform apartment firms regarding their approach to GDPR compliance. As with any regulation that may impact apartment firms, NMHC/NAA recommend that apartment firms consult their compliance team and legal counsel to determine if GDPR applies to their operations.
NMHC/NAA will continue to monitor GDPR implementation and its possible impact on apartment firms. Additionally, NMHC/NAA provide a variety of resources to help secure a firm’s data and bolster its overall cybersecurity posture, which can be found at www.nmhc.org/data-security. Example resources include an industry white paper on cyber security best practices , valuable cybersecurity tools from the Federal Trade Commission and a sharable guide to “Social Engineering Red Flags,” which can help educate employees about cyber pitfalls.
NMHC also works with the Real Estate Information Sharing and Analysis Center (RE-ISAC) to distribute regular email alerts of malicious cyber activity that could impact multifamily firms, their data or residents. NMHC members can sign up for the cybersecurity notification system to learn of real-time cyber threats.
Additional resources relating to GDPR can be found at:
- NYU’s Program on Corporate Compliance and Enforcement
- GDPR FAQs
- Yes, The GDPR Will Affect Your U.S.-Based Business – Forbes
- Congress Presses Forward on Consumer Data Privacy
- Data Security Letter to Senate Committee on Banking, Housing and Urban Affairs
- Equifax, Marriott Take the Stand as More Senate Committees Join the Data Privacy and Security Debate
- Congress Looks to Add New Cyber Disclosure Rules for Companies
- Consumer Privacy and Data Security Issues Front-and-Center for Congress