Throughout the course of running a landlord business, we collect, use, hold onto and share our tenant’s personal data. Because of this, we will need to comply with the new General Data Protection Regulations, coming into force on May 25th 2018.
GDPR is about seeing our customer’s (tenant’s) data as a valuable asset and treating it with the due care and respect it deserves. It’s about being transparent with our tenants regarding the reasons we collect and hold data, as well as informing them who their data is shared with. And GDPR is about being accountable for how we keep our tenant’s personal data safe. The main aim of the new regulations is to develop a new culture of privacy within organisations – one where businesses communicate with transparency and treat their customers personal data as worthy of protection. As a natural course of business. Because it’s the right thing to do, not just because it’s imposed on us through regulation.
If you’re already adhering to the Data Protection Act, that’s great news (you will be a step ahead of the others), but GDPR takes things further than the DPA so you will still need to change your paperwork and processes to meet the new requirements. If you’re anything like me, going through the GDPR process will highlight your shortcomings – areas where you’ve been less than Fort Knox – or will simply reveal the sheer number of third parties you actually do share your tenant’s data with. It’s enlightening really.
I’m going to split this article into two parts since it’s a big subject. Part one today will cover the general principles of GDPR, and any terminology you will need to become familiar with.
In part two, I reveal the steps I am taking to become GDPR compliant in my landlord business, so you can use them as a guide to achieving your own compliance.
So what do you need to know?
What exactly is Data processing?
Using the personal information of another individual (called a ‘data subject’) is considered data processing. This can be in a variety of ways, including collecting, recording, organising, structuring, storing, adapting, altering, consulting, using, disclosing, and even erasing or destroying the data. Whether you use automated methods (computers) or manual methods (paper and files), GDPR will still apply.
What data is covered by GDPR?
Personal Data
Information that is capable of identifying an individual. This can simply be a name and email address, or name and phone number, or even an IP address and cookies.
Sensitive Data
Sensitive data is data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation. Rather interestingly, financial information (credit scores or bank statements) is not considered sensitive data. Any details you hold about a tenant’s disability would be considered sensitive.
Who handles the data?
The Data controller – You! The person or organisation who decides how, why and when someone else’s personal information will be processed. If you have a letting or managing agent acting on your behalf, you are still the data controller, and the agent would be considered a data processor. In the case of a R2R operator, the legislation infers the R2R company (not the property owner) would be considered the controller of the tenant’s data. And for a landlord renting to a R2R operator, you will need to follow the GDPR regulations only if your customer (the R2R operator, not the actual occupiers) is an individual rather than a business.
Data processor – A third party who perform data processing tasks for the data controller (not an employee of the controller’s organisation). This could include the cloud management software you use to store the tenancy details or bookkeeping details, your email service provider, a tenant referencing company, a contractor, a Virtual Assistant, the deposit protection company you use…
Lawful grounds for processing data
We must have a lawful reason for processing an individual’s data. There are six possible lawful grounds. If your reason for processing the data does not fall under one of these six grounds, you will not be permitted to process it.
Consent – the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Contract – processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract;
Legal Obligation – processing is necessary for compliance with a legal obligation to which the controller is subject;
Vital Interests – processing is necessary in order to protect the vital interests of the data subject or of another natural person;
Public Interest – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
Legitimate Interest – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
A landlord’s lawful reasons for processing data will mostly fall under the grounds of contract, legal obligation and legitimate interests.
You will need to be transparent with your tenants and inform them of the lawful bases you are relying on to process their data, as well as the people/organisations you will be sharing their data with. This will typically be delivered to them via your privacy policy.
Be warned, there is information on the web stating that the lawful ground for processing tenant’s details is consent, along with guidance on gaining consent. THIS INFORMATION IS INCORRECT. I will delve more deeply into the Lawful Basis classifications, including examples within a landlord’s business, during part two of this article, “GDPR – 7 steps to Landlord Compliance” .
The rights of data subjects
The right to be informed.
The right of access.
The right to rectification.
The right to erasure. (Right to be forgotten)
The right to restrict processing.
The right to data portability.
The right to object. (Opt out)
Rights in relation to automated decision making/profiling.
GDPR brings in new rights for individuals (data subjects) and any data processing performed by the data controller or processor should show consideration of these rights. You will also need to explain to the data subject how they can exercise these rights. Again, this will be included in your privacy policy.
How to handle security breaches
A breach of security would be any event that leads to the destruction, loss, alteration, unauthorised disclosure of or access to the tenant’s personal data.
In such cases, the ICO would need to be notified within 72 hours, and in some cases, the tenant’s will also have to be notified. For self-managing landlords, such breaches might occur if your laptop or phone is lost or stolen, or any of the software programs you use are hacked. For landlords using agents, breaches could occur at home, as well as within the agency for a variety of reasons.
So the GDPR brings in new rights for individuals, new obligations for organisations, and a deadline within which we are supposed to meet those obligations. I know for many it feels like one more darned obligation to add to the list, especially for small businesses and part-time landlords who already have their plates full with so many other responsibilities, but if you remember the purpose of GDPR and the fact our personal information is an asset worthy of protection, it should help to steer you towards embracing the change.
A final word here – a lot of GDPR talks and articles focus on the heavy EU20m penalties we are liable to if we don’t comply. While I agree it’s necessary to get your head around these additional responsibilities and make adjustments to the way you handle your tenant’s data, realistically these maximum penalties are unlikely to ever be levied on a landlord or small business. I would really like to stress there is no need to panic about May 25th. GDPR is being promoted as a journey, something we will continually evolve and improve. Expressed in words direct from the horse’s (ICO’s) mouth…
–” I want to reassure you that there is no deadline.
25 May is not the end. It is the beginning”. |
Look out for part two of this article “GDPR – 7 steps to Landlord compliance” where I share the auditing process I have gone through to ensure I’m doing ‘what is right’.