The General Data Protection Regulation (GDPR) comes into force on the 25th May 2018. GDPR represents a new standard by which businesses - including landlords - need to deal with personal information about tenants.
GDPR replaces the Data Protection Act and represents a fundamental change in the way you as a landlord should deal with the handling and processing of personal information.
The information in this post is designed to give you some information about what you need to know, however it shouldn’t be considered a definitive guide and should you have any questions you should speak to a GDPR specialist advisor.
GDPR is a regulation that’s being introduced throughout the European Union. GDPR is aimed to standardise the way businesses - such as landlords - handle and store personal information throughout the EU. It also aims to bring data legislation into the internet era and change the ownership of data based on the way information can be stored about people.
GDPR will protect the rights of EU citizens and EU residents, giving them more control of what information about them can be shared, stored and used.
After publication of GDPR in the EU Official Journal in May 2016, it was announced the General Data Protection Regulations (GDPR) will come into force on Friday 25th May 2018.
We’ve spoken to many landlords who have asked us if the rollout and implementation of GDPR will be affected by Brexit. GDPR will apply to the UK after we leave the EU and the British government has proposed a new Data Protection Bill to enshrine the basics of GDPR in British law.
The Data Protection Act 1998 has been in place for a long time and most landlords have been compliant for many years. However, GDPR brings in a whole new host of ways in which a landlord can fall foul of the law.
If you are already compliant with the Data Protection Act you should find the language used throughout the GDPR legislation to be similar and accessible.
Landlords may have to register with the Information Commissioner’s Office unless they qualify for one of the exemptions. There’s a fee for this registration as well which can be broken down into the following three tiers:
Make sure you do register because if you don’t the ICO can charge you the third tier costs of £2900 (they’ll probably let you off the whole £2900 if you can demonstrate you fall into tier 1 or 2).
If you don’t use electronic equipment to process data then you won’t have to register. But even a text or call on a smartphone will count. And most landlords will be speaking to tenants at some point over the phone either by text or by a phone call.
If you’re registered as a non-profit making organisation you will probably also be exempt from having to register with the ICO.
Landlords - like all other businesses - could be fined up to €20 million or 4% of their turnover (whichever is the higher).
As a landlord, you should perform an assessment to:
Probably the most important thing a landlord can do from this point on is ensuring that they make record keeping an everyday part of their activity as a landlord.
You then need to have a privacy policy that details every aspect of your GDPR compliance, and this should continually evolve as you change how you process and control data over your experience as a landlord.
This policy can be used to demonstrate that your compliance, enable you to train your team to comply and will help you mitigate any fines that could result off the back of any breaches.
Landlords will have to consider GDPR and most will have to comply with the regulations. It doesn’t matter whether you store everything online or have a super-secure offline storage. You will still need to record how this data is stored and processed.
Most landlords will answer yes to one or more of the following questions. If you answer yes then you will need to comply with GDPR.
As a landlord, you will likely be processing sensitive personal information (that of your tenants) so additional restrictions apply and this should be considered.
You need to understand how data enters your organisation, or how you receive it from individuals such as your tenants and then map how it flows through the organisation and the touchpoints on which it is used. This mapping should also document what the data is, how it is stored, who it is shared with and how long you’re keeping the data and the reason you’re storing that information.
Following the mapping of the data you or your organisation processes, you then need to ensure if you are allowed to continue to process data under the new regulations.
Landlords can use different ‘gateways’ in order to determine if they need to work out their lawful basis for processing data. As most landlords act as a data controller you shouldn’t default to trying to get consent from the data subject, rather you should consider other gateways in which you use that data.
Here’s what you may need to consider when processing data:
Consent - you are allowed to process a data subject’s information if you have been given permission to do so. Whilst consent has been the normal practice to date, it may be best to avoid using consent wherever possible as you will be required to be explicit in the way you use the data and this may limit your ability to obtain upfront consent and your business practices in the future.
For the performances of a contract - if you use the data as part of your letting contract then this will likely be a sufficient gateway for using the data. Most of the data a landlord processes during a tenancy would more than likely fall under this provision.
Legal requirements - if you have to hold information about your tenants for legal reasons then you would use this gateway. For example, you may need to process data for Right to Rent checks.
Vital Interests - if you have to hold the information in order to protect the vital interests of the data subject or another person. This could relate to cases of serious illness or injury and life-threatening situations. Most landlords wouldn’t use this gateway.
Legitimate interests - many businesses will now choose to hold data under the legitimate interests gateway. This means that a data controller and third party can use the data in a lawful manner - as long as they outline what those are in their terms and privacy policy - as the use of the data should be used in a reasonable way and have minimal impact on the subject’s privacy.
The data controller needs to keep a record of the gateway or gateways that are chosen for the purposes of processing data.
As with everything, the way we do business will change and it’s likely the regulations will be updated as well. So it’s important that landlords continually review their compliance to GDPR.
Once you’ve worked out why you process an individual's data and through which gateway you process that data you’ve then got to make sure how you process the data is also compliant from a recordkeeping perspective. As a landlord, you need to ensure that your data protection policy protects the rights of the data subject.
In addition to the above gateways, there is also Public task, which covers the processing necessary to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. This is mainly reserved for public institutions - such as local authorities - and would unlikely affect you as a landlord.
Landlords have a responsibility under the new regulations to keep written records demonstrating they have created proper data protection policies. Within that policy, you should document how you will comply with the data protection principles and how you will protect the rights of the individual (data subject).
A big part of this for most landlords is ensuring the data is secure. For most landlords - or those with less than 250 employees - the requirement extends to data that’s:
On top of this, landlords should have measures for ongoing governance of data. Here the principles of privacy that you need to make sure you’ve taken into account when reviewing the storage of data:
If you have got more than 250 employees you may need to consider additional elements of record keeping including keeping the right kind of internal records, especially for high-risk data which includes sensitive personal information.
Remember, the Information Commissioner's Office (ICO) can ask to see your records and processes to make sure you have them in place.
Data controllers have to ensure compliance with the following data protection principles:
Once you’ve established the steps above you then need to ensure you’ve got a privacy policy notice in place.
A privacy notice should be provided by the data controller to the data subject relating to how the data controller processes their information.
As a data controller, landlords will likely be reliant on the contractual and legitimate interest gateways as the legal basis for how they process and individuals data. As such your privacy policy and privacy notice are especially important and should be very comprehensive in nature.
As you may be providing rental property for families, you may find yourself storing some personal data of children. Wherever possible as a landlord, it’s best not to store the details of under 18-year-olds. However, if you do have to process this kind of data you need to ensure you comply with the specific requirements for this and your privacy notice must be written in such a way that it’s accessible to children as well as adults.
MakeUrMove will be updating our terms and privacy policy and providing this to our customers, however, many landlords don’t have a website for their property portfolio so this may need to be sent out individually to all parties.
A sample privacy notice can be found on the ICO website here.
You need to demonstrate how data subjects can exercise their GDPR rights as a landlord. Their rights include:
Data controllers must notify the ICO if there is a breach of personal data. This breach could be in the form of:
Landlords should inform the ICO within 72 hours of the loss or face a potential fine for not doing so. You should also inform the data individuals, however, this isn’t a requirement in all cases.
As a landlord, you are likely to be a data controller. In these circumstances, you are required to ensure that all data processors, that’s any person or organisation that process data on your behalf, are themselves compliant.
One of the major considerations is whether data is transferred outside the EU. At MakeUrMove we process the majority of data within the EU, with our servers being located in Ireland. However, we do work with a handful of data processors for some specific tasks who fall outside the EU and we’ve had to undertake additional checks to ensure compliance and security.
Data controllers and data processors must have a contractual agreement in place which outlines the relationship between the two parties and their relationships and responsibilities over the data. We have been updating our privacy notice and terms as part of our contractual agreement with landlords using our service and it’s important landlords take the time to review them in line with the email comms we’ve been circulating amongst the landlords who use our service.