Pilot #3: Data protection within cloud-supported very small organisations (real estate agencies)

Overview

Vistocasa is a franchising network of real estate agencies that operates in the real estate brokerage sector. Each agency is an independent legal entity, connected to the franchising, whose strength is the use of a software called Vistonet, which administers all aspects of the management of both the network and the individual agencies. The Vistocasa Pilot consists of 4 use cases which identify the most important processes that take place into the network managing a customer, from the beginning of the lead to the conclusion of the contract. In this specific environment, in the fourth use case, also the management of the employees’ privacy protection is part of the pilot.

Use case 1: The Census

The most relevant processing operations performed in the Census use case, as analysed in the preliminary assessment are the following:

  • Census Planning: evaluation of the quality and up-to-date status of data related to properties in the area which are stored on the Vistonet platform.
  • Budget assignment: definition of the number of actions/tasks that an employee must perform in the period.
  • Collection of information related to data subjects and properties in the area, which needs the consent gathering.
  • Data entry of collected information on the spreadsheet, related to data subjects, owners, leaseholders and properties.
  • Import of the above data into the Vistonet platform.

Among them the most relevant impact of the BPR4GDPR framework, and in particular of the User-Centred and Crypto tools, is highlighted in the collection of information and data management (data entry and Import) processes. Since the start of the project has been quite evident that in the first process the collection of consent from a data subject is weak or in some cases not achievable by the organization, and in the meanwhile the management of information suffers of a high data breach risk. The test cases that must be taken in place to check and assess the impact of the BPR4GDPR Tools are the following:

  • INNO 1 — Collection of consent from a data subject – user-centred tools
  • INNO 2 — Data subjects secure data management – Crypto Tool

Next Figure shows how the census process is now GDPR compliant tanks to the adoption of the BPR4GDPR Tools preventing the risk of loss of information thanks the Cryptography Tool, which allows the employee to securely handle data outside the agency offices, and thanks to the UCT Tool which manages the collection of consent from data subjects who informs and update the employee about their property information.

The census process

Use case 2: The Lead management process

Processes in this use case are all mostly related to the management of data subject information, with the goal to transform the lead to a contract, and all required that the consent for the treatment has been acquired by the data subject, and that it can be immediately managed according to data subject’s rights as expressed by the GDPR regulation.

This is the list of the most relevant processing operations performed in this use case as stated in the preliminary assessment:

  • Lead generation from different sources (Census, data subject request from the website, data subject direct inquiry) and consent gathering.
  • Lead management: employee’s daily process consisting in the analysis and management of their tasks related to potential customers.
  • Prospect Management: all the tasks and actions taken in order to convince a data subject to become customer.
  • Customer acquisition: acquisition of all the information related to the customer and their needs and signing of the contract.

BPR4GDPR Framework will improve the consent management in the lead generation thanks to the BPR4GDPR User-Centred Tool and, in the process analysis that will highlight risks or weakness point thanks to  The BPR4GDPR Process mining and discovery Tool . The specific test cases to analyse are the following

  • INNO 3 — Collection, management and update of consent from a data subject – User-Centred tools
  • INNO 4 — Data subject process management – Process mining and discovery Tool

Use case 3: The Customer management process

This use case includes all the activities that the organization carries out to successfully conclude a contract. The customer management process may require the sharing of information between the various agencies (different legal entities) and therefore it is essential that all the actors are certain that they have the authorization to process the personal data of the data subject. The latter must also be guaranteed all rights relating to his privacy and that any variation to the treatment is immediately communicated to all interested parties. The system must therefore immediately consider which data can be managed by the various users because they are regularly authorized, and which ones are not.

The most relevant processing operations performed as assessed in the preliminary assessment are the following:

  • Customer profiling: identification of customer needs and preferences for the sale of their property.
  • Price definition: employee’s task to define the selling price of the property according to the market and the property status.
  • Sales Activity: all the tasks and actions taken in order to find a buyer and manage the negotiation.
  • Customer Management: employee’s strategic task to manage the right selling price of the property
  • Contract signing: once a buyer confirms his decision to buy, the employee manages the contract definition.

The test cases identified in this use case are the following:

  • INNO 1 — Collection, management and update of consent from a data subject – user-centred tools
  • INNO 5 — Access control to data subjects’ data – Data management BUS
  • INNO 4 — Data subject’s process management – Process mining and discovery Tool

Use case 4: The performances monitoring process

The fourth use case is focussed on the privacy management of personal information both related to the customers and the employees within the organization. In the first case the agency manager should be able to support employees accessing only to that kind of customers (data subjects) data needed to solve problems or finalize a contract. In the second case the manager should access to all the employees performances data, even if related to former employees.

The test cases identified in this use case are the following:

  • INNO 5 — Access control to data subjects’ data – Data management BUS
  • INNO 6 — Anonymization of data subjects’ data – Data Anonymization Tool
  • INNO 7 — Risk assessment – Risk Assessment Tool

Next Figure shows the performance monitoring process diagram, updated with the BPR4GDPR anonymization tool, which operates when a employee is no longer in the organization, so the results of queries and reports containing his personal data are anonymized.

Performance monitoring process