General Data Protection Regulation (GDPR) – the biggest change to data handling that UK organisations have seen since the introduction of the current Data Protection Act - is being introduced on May 24th 2018 (Law from May 25th) and will impact all of us.
How is data handling changing?
Many of the principles of GDPR are the same of the DPA. The regulation’s principles aim to ensure that an individual has:
- The right to be informed: Allowing individuals to know that their data is being stored
- The right of access: Allowing individuals to access their data is so that verify the lawfulness of the processing
- The right to rectification: Allowing individuals to change/amend their data if it is incorrect/incomplete
- The right to erasure: ‘The right to be forgotten’ Total wipe out of their data from your systems
- The right to restrict processing: Allowing individuals to put a block on their data being used at all
- The right to data portability: To obtain and reuse their own data for their own purposes across different services
- The right to object: Can say no to their data being used for marketing or processing
- The right not to be subject to automated decision-making including profiling: Can say no to their data being subject to analysis without ‘human intervention’
What if I don't comply?
The GDPR will introduce larger penalties for data breaches than is currently in place for breaching the Data Protection Act (currently £500,000 maximum), with fines of up to 4% of annual worldwide turnover or €20 million being possible.
Whilst it is unlikely that an individual landlord would be handed or €20 million fine (!) penalties will be handed out by the ICO and they have a DUTY to impose a penalty – this is not being taken lightly.
What exactly qualifies as data?
Anything that could help identify your tenant!
This could include:
- Name
- Previous address
- current address
- phone number
- email address
- Date of birth
- Place of work
- Job title
- Records of rent payments
- Utility Bills
- National Insurance number
- Credit searches
- Bank statements
How does it change things for me, as a landlord?
You are a ‘Data Controller’ – that’s quite a significant role!
A data controller is an individual (or an organisation) who decides how personal data is processed.
Data protection obligations primarily fall upon the data controller – it’s your job to keep your tenant’s data safe.
Initially, as a data controller, you decide:
- To collect the personal data in the first place
- The legal basis for data collection
- which items of personal data to collect (what you need to know!)
- What you’re planning on using the personal data for
- Who’s data you need
- whether to pass the data onto a Processor the data, which ones, and whether they have an appropriate handling process
- How long you will keep the data
- Whether to make any amendments to the data (if you will delete any of the content after X amount of time)
You don’t just have to worry about your own processes though. As a data controller, you also have to keep an eye on any Data Processors that you engage with.
A Data Processor is any of the organisations you ask to handle data on your behalf– your referencing agency, your plumber, your agent. Under GDPR they have responsibilities for:- Appropriate collection of data
- Appropriate editing of data
- Retaining/storing in line with GDPR guidelines
- Disclosing (or sharing) data in line with GDPR guidelines
- The correct deletion/erasing/destroying of data
- The proper viewing (e.g. looking at someone’s personal data, which could include their image, on screen or on paper) of data in line with GDPR guidelines
- Appropriate archiving of data
Obtaining new data
This is where things may start to look a little different… Consent to collect and process an individual’s data must be properly documented, and easily withdrawn: either provided by a statement or by a clear affirmative action (tick box). Silence or inactivity DOESN’T MEAN CONSENT.
You can gain consent a number of ways:
- Signing a consent statement on a paper form
- Ticking an opt-in box on paper or electronically
- Clicking an opt-in button or link online
- Selecting from equally prominent yes/no options
- Responding to an email requesting consent (Building a paper trail via email is a great idea wherever possible!)
- Answering yes to a clear oral consent request
- Dropping a business card into a box
However you choose to get your tenant’s consent, make sure that the method includes clear details on the followings:
- Your name/the name of your organisation and the names of any third parties who will rely on the consent – consent for categories of third-party organisations (referencing/maintenance etc) isn’t enough
- Why you want their data
- What you will do with their data
- How they can withdraw their consent for it to be processed (passed on)
What about data I already hold?
That needs looking into too!
Auditing the data that you already hold is a great idea, and getting it prepared for the introduction of GDPR in 2018 is a great idea.
An information audit will help you get your files prepare, an give you an overview. You should understand:
- What personal data do you hold?
- Where did it came from?
- Who have you shared it with?
- Is it all still accurate?
- How you would delete that data?
If you do not have consent to use your existing tenant’s data, you should gain their consent in line with the process above. You should serve your existing (and new) tenants with a Privacy Notice, which will give them details about how their data is used, stored and deleted, and give them details about how to contact you with regards to opting out of processing.
What is a Privacy Notice?
Issuing a Privacy Notice is a great way to convey vital information to your tenants about how their data is going to be managed. If you issue it separately to the tenancy agreement, if you have to make any changes, you can reissue without having to change the entire agreement.
A Privacy Notice only needs to be a simple document, laying out clear facts surrounding your data management process. You should include:
- What information is being collected?
- Who is collecting it – are there multiple data controllers?
- How is it collected?
- Why is it being collected – are there different types of potential processing?
- Offer an option to opt in/out of different types of processing – yes to referencing, no to contact from utility switching companies.
- How will it be used – what are you planning to do with it?
- How it WON’T be used.
- Who will it be shared with (use the names of the organisations, not just the categories)?
- What will be the effect of sharing to these organisations have this on the individuals concerned?
- How you are protecting their information – regular audits of data, Cloud storage, policy updates with Processors etc
- Is the intended use likely to cause individuals to object or complain?
- The potential consequences of not providing information (not being able to issue a tenancy agreement, for example)
- Provide a clear way to contact you to stop processing of their data
Data Breaches
One of the requirements of GDPR is to make sure you have the correct procedures in place to detect, report and investigate a personal data breach.
You must notify the ‘relevant supervisory authority’ of any data breach that could result in a risk of rights and freedom of individuals, including discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. In addition, you would also have to notify the person who’s data had been breached.
Anyone handling data is required to be registered with the Information Commissioner's Office (ICO), and one of the benefits of registration is that the ICO offer support and advice.
An annual membership of the ICO is £35 - You can register here
THIS IS REALLY IMPORTANT!
Getting ready checklist
- Create a privacy policy
- Review your process on how you ask for customer data - consent is key!
- Audit the data you already hold – make sure everything is current, correct and consenting!
- Contact Data Processors that you regularly transact with (agents, property managers, referencing agencies, maintenance companies etc), gather their full contact details and ask about their GDPR data management policy
- Register with the ICO! This is really important!
Topics
Let my property online from
£99 inc VAT
FREE Instant Online Valuation
Comments for GDPR: The Great Data Puzzle, and how to solve it