New Data-Protection Rules for Europe: Self-Storage and the GDPR

The new General Data Protection Regulations (GDPR) went into effect throughout the European Union (EU), including the United Kingdom, on May 25. These regulations require self-storage operators to change the way they gather, store and use personal data from customers, staff, suppliers and the public.

The EU decided there should be uniform standards for data protection across Europe and these standards should no longer be addressed through individual legislation in each country. This lead to the drafting of the GDPR. In addition to affecting businesses in Europe, these regulations put conditions on businesses that trade with the EU, even if they’re geographically outside it.

The new laws have had a significant impact on self-storage operators in Europe, particularly those that gather video footage on their properties, as this is considered sensitive information under the GDPR. They also give individuals more power to understand and control how their data is used, including rights to amend and remove it. Following are the more significant elements of the legislation that impact self-storage operators.

A Dedicated Officer

While the appointment of a dedicated data-protection officer may not be a requirement for all self-storage businesses, depending on their size, it’s difficult to implement the requirements of the GDPR without having a representative who’s accountable for data protection. Facility operators must decide who will be responsible for implementing the new regulations and controlling facility data. This should be a person who’s senior enough in the operation to make the required decisions.

Privacy Statement

While all businesses should already have a robust privacy statement, the GDPR requires extensive changes to this, and it now needs to be readily available to everyone who provides data to your business. This means that before a customer provides you with any information, through any means, he must be offered a copy of your statement. It must include details of how his data will be used, the legal means for collecting it, the means for the customer to change or repeal his data, and the way in which your business will protect the information.

Consent

It’s now necessary to add opt-in consent boxes to all points where customer data is collected for marketing. If your business intends to contact customers for marketing purposes, or to pass customer details on to other businesses for the same purpose, then customers must “opt in” to provide consent. This can’t be a pre-ticked box on an online form or contract; it must require the customer to click, tick or take some action to provide consent.

Find and Remove Data

Every business needs a system for finding all sources of a customer’s data—and removing it, if necessary. You must be able to copy the information, supply it to the customer and delete it if requested.

While this may seem simple, a customer’s data might be stored in multiple locations, including facility-management software and physical files and letters, such as rental contracts, late notices, invoices, etc. Self-storage operators must have a structured approach for storing and finding this information so all personal details can be deleted or anonymized if necessary.

Data-Breach Policy and Procedure

Every business needs a procedure in place to address a data breach. Depending on the nature of the breach, who needs to be contacted? How can they be contacted? Does the supervisory authority need to be notified? Do you need to notify all your customers, staff and others whose data you store? This all needs to be covered in a clearly documented policy for relevant staff.

Staff Training

The impact of a data breach or non-compliance with the GDPR can have a devastating impact on a business. Maximum fines are the greater of €20 million or 4 percent of the business’ turnover. It’s essential that all staff understand the importance of protecting personal data and procedures are followed at all times. Ongoing training will be necessary to ensure this.

A Defined Purpose

A key element of the GDPR is you can only keep data if you have a legal basis to do so. Fortunately, the bases provided are quite broad and include legitimate business interests. However, self-storage operators must still consider all the data they keep and whether they have a right to keep it.

This is particularly pertinent to historical data, such as that of customers who no longer store with you, or inquiries from prospects who never converted to customers. This information was gathered for a specific purpose, and once that purpose is complete, the data should be removed. The theory behind this is if a breach occurs, the impact should be limited. For self-storage businesses, it means categorizing data so it can be removed when it’s no longer required, usually no more than six months after the inquiry or contract termination.

The GDPR will change the way many companies do business, including self-storage. It’s important to educate yourself on these key regulations to protect your data, your customers and your operation.

Rennie Schafer is the CEO of the Federation of European Self Storage Associations, which represents the self-storage industry in Europe. For more information, visit www.fedessa.org.