What landlords need to know about GDPR

The General Data Protection Regulation (GDPR) comes into force on the 25th May 2018. GDPR represents a new standard by which businesses - including landlords - need to deal with personal information about tenants.

GDPR replaces the Data Protection Act and represents a fundamental change in the way you as a landlord should deal with the handling and processing of personal information.

The information in this post is designed to give you some information about what you need to know, however it shouldn’t be considered a definitive guide and should you have any questions you should speak to a GDPR specialist advisor.

What is GDPR all about?

GDPR is a regulation that’s being introduced throughout the European Union. GDPR is aimed to standardise the way businesses - such as landlords - handle and store personal information throughout the EU. It also aims to bring data legislation into the internet era and change the ownership of data based on the way information can be stored about people.

GDPR will protect the rights of EU citizens and EU residents, giving them more control of what information about them can be shared, stored and used.

When does GDPR come into effect?

After publication of GDPR in the EU Official Journal in May 2016, it was announced the General Data Protection Regulations (GDPR) will come into force on Friday 25th May 2018.

Will Brexit affect GDPR?

We’ve spoken to many landlords who have asked us if the rollout and implementation of GDPR will be affected by Brexit. GDPR will apply to the UK after we leave the EU and the British government has proposed a new Data Protection Bill to enshrine the basics of GDPR in British law.

If a landlord is compliant with the Data Protection Act will they be compliant with GDPR?

The Data Protection Act 1998 has been in place for a long time and most landlords have been compliant for many years. However, GDPR brings in a whole new host of ways in which a landlord can fall foul of the law.

If you are already compliant with the Data Protection Act you should find the language used throughout the GDPR legislation to be similar and accessible.

Important GDPR terms landlords need to understand

• Personal information - Information about the identity of an individual. For example date of birth, email address, national insurance number, car registration number, passport number, IP addresses, etc
• Sensitive personal information - Personal Information that reveals racial or ethnic origin (not nationality), political opinion, religious or philosophical belief or trade union membership, genetic data biometric data, data concerning health, or sexual orientation. Special restrictions apply to this category of information and landlords should avoid taking it where possible. For example, information such as NHS number where requests for disability improvements to the property are made.
• Data processing - Using the personal information of another individual in a variety of ways, including collecting, recording, organising, structuring, storing, adapting, altering, consulting, using, disclosing, erasing or destroying the data. An example may include keeping a copy of the tenancy agreement with the tenant's details on it.
• Data controller - The data controller is a person or organisation who decides how, why and when someone else's personal information will be processed. MakeUrMove is a data controller and you as the landlord will be a data controller as well.
• Data subject - This is the person to whom the personal information relates. This will be the tenants.
• Data processor - A third party who perform data processing tasks for the data controller. Data processors will include referencing services, cloud storage hosts, email account providers. MakeUrMove works with a number of these and we’ve carried out an extensive GDPR audit to ensure compliance.

Does a landlord need to register with the Information Commissioner's Office (ICO)?

Landlords may have to register with the Information Commissioner’s Office unless they qualify for one of the exemptions. There’s a fee for this registration as well which can be broken down into the following three tiers:

1. Micro-organisations - Organisations with a maximum turnover of £632,000 for the financial year or no more than 10 members of staff. Cost: £40
2. Small and medium organisations - Organisations with a maximum turnover of £36m or no more than 250 members of staff. Cost: £60
3. Large organisations - More than £36 million turnover and more than 250 staff. Cost: £2900

Make sure you do register because if you don’t the ICO can charge you the third tier costs of £2900 (they’ll probably let you off the whole £2900 if you can demonstrate you fall into tier 1 or 2).

If you don’t use electronic equipment to process data then you won’t have to register. But even a text or call on a smartphone will count. And most landlords will be speaking to tenants at some point over the phone either by text or by a phone call.

If you’re registered as a non-profit making organisation you will probably also be exempt from having to register with the ICO.

What could happen if a landlord doesn’t apply with GDPR?

Landlords - like all other businesses - could be fined up to €20 million or 4% of their turnover (whichever is the higher).

How can landlords comply with GDPR?

As a landlord, you should perform an assessment to:

• Ensure you have to comply to with GDPR
• Fully map out what personal information is collected, held and who it’s shared with
• have a lawful basis for processing personal information and where consent is needed, you have a high enough standard for it
• have a data protection policy with enough regard to the data protection principles and the rights of the individual
• have investigated whether or not their third-party data processors are compliant with GDPR.
• have a satisfactory privacy notice

Probably the most important thing a landlord can do from this point on is ensuring that they make record keeping an everyday part of their activity as a landlord.

You then need to have a privacy policy that details every aspect of your GDPR compliance, and this should continually evolve as you change how you process and control data over your experience as a landlord.

This policy can be used to demonstrate that your compliance, enable you to train your team to comply and will help you mitigate any fines that could result off the back of any breaches.

Do landlords need to comply with GDPR?

Landlords will have to consider GDPR and most will have to comply with the regulations. It doesn’t matter whether you store everything online or have a super-secure offline storage. You will still need to record how this data is stored and processed.

Most landlords will answer yes to one or more of the following questions. If you answer yes then you will need to comply with GDPR.

1. Are you offering goods or services (including accommodation), with or without payment?
2. Do you hold personal information?
3. Do you process personal information?
4. Are you processing personal data wholly or partly my automated means?
   Or if you don’t use automated means, are you using an organised manual filing system?

As a landlord, you will likely be processing sensitive personal information (that of your tenants) so additional restrictions apply and this should be considered.

Mapping how you use data as a landlord

You need to understand how data enters your organisation, or how you receive it from individuals such as your tenants and then map how it flows through the organisation and the touchpoints on which it is used. This mapping should also document what the data is, how it is stored, who it is shared with and how long you’re keeping the data and the reason you’re storing that information.

What lawful basis do landlords have to process data?

Following the mapping of the data you or your organisation processes, you then need to ensure if you are allowed to continue to process data under the new regulations.

Landlords can use different ‘gateways’ in order to determine if they need to work out their lawful basis for processing data. As most landlords act as a data controller you shouldn’t default to trying to get consent from the data subject, rather you should consider other gateways in which you use that data.

Here’s what you may need to consider when processing data:

Consent - you are allowed to process a data subject’s information if you have been given permission to do so. Whilst consent has been the normal practice to date, it may be best to avoid using consent wherever possible as you will be required to be explicit in the way you use the data and this may limit your ability to obtain upfront consent and your business practices in the future.

For the performances of a contract - if you use the data as part of your letting contract then this will likely be a sufficient gateway for using the data. Most of the data a landlord processes during a tenancy would more than likely fall under this provision.

Legal requirements - if you have to hold information about your tenants for legal reasons then you would use this gateway. For example, you may need to process data for Right to Rent checks.

Vital Interests - if you have to hold the information in order to protect the vital interests of the data subject or another person. This could relate to cases of serious illness or injury and life-threatening situations. Most landlords wouldn’t use this gateway.

Legitimate interests - many businesses will now choose to hold data under the legitimate interests gateway. This means that a data controller and third party can use the data in a lawful manner - as long as they outline what those are in their terms and privacy policy - as the use of the data should be used in a reasonable way and have minimal impact on the subject’s privacy.

The data controller needs to keep a record of the gateway or gateways that are chosen for the purposes of processing data.

Does a landlord need to review their GDPR compliance in the future?

As with everything, the way we do business will change and it’s likely the regulations will be updated as well. So it’s important that landlords continually review their compliance to GDPR.

Once you’ve worked out why you process an individual's data and through which gateway you process that data you’ve then got to make sure how you process the data is also compliant from a recordkeeping perspective. As a landlord, you need to ensure that your data protection policy protects the rights of the data subject.

In addition to the above gateways, there is also Public task, which covers the processing necessary to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. This is mainly reserved for public institutions - such as local authorities - and would unlikely affect you as a landlord.

Accountability landlords have for data record keeping

Landlords have a responsibility under the new regulations to keep written records demonstrating they have created proper data protection policies. Within that policy, you should document how you will comply with the data protection principles and how you will protect the rights of the individual (data subject).

A big part of this for most landlords is ensuring the data is secure. For most landlords - or those with less than 250 employees - the requirement extends to data that’s:

• Regularly taken or used
• Likely to result to a risk in the rights and freedoms of individuals or
• Involve special category data (or criminal convictions)

On top of this, landlords should have measures for ongoing governance of data. Here the principles of privacy that you need to make sure you’ve taken into account when reviewing the storage of data:

• Data minimisation - only collect the data that you have to
• Pseudonymisation/anonymisation
• Transparency/openness
• Allowing individuals affected to monitor processing
• Creating and improving security features on an ongoing basis
  
  

If you have got more than 250 employees you may need to consider additional elements of record keeping including keeping the right kind of internal records, especially for high-risk data which includes sensitive personal information.

Remember, the Information Commissioner's Office (ICO) can ask to see your records and processes to make sure you have them in place.

Data protection principles landlords have to follow

Data controllers have to ensure compliance with the following data protection principles:

• Data must be must be processed fairly
• Data must be collected for specified explicit and legitimate purposes
• Data must be adequate, relevant and limited to what is necessary in relation to the purposes to which the data is processed
• Data processors must ensure the information is accurate and up to date. Inaccurate information should be erased or altered
• Data should be kept in a form which allows identification of data subjects no longer than is necessary
• Data should be processed in a way which ensures appropriate security for the personal data, including protection against unauthorised processing, accidental loss destruction or damage

What landlords need to do about a privacy notice

Once you’ve established the steps above you then need to ensure you’ve got a privacy policy notice in place.

A privacy notice should be provided by the data controller to the data subject relating to how the data controller processes their information.

As a data controller, landlords will likely be reliant on the contractual and legitimate interest gateways as the legal basis for how they process and individuals data. As such your privacy policy and privacy notice are especially important and should be very comprehensive in nature.

As you may be providing rental property for families, you may find yourself storing some personal data of children. Wherever possible as a landlord, it’s best not to store the details of under 18-year-olds. However, if you do have to process this kind of data you need to ensure you comply with the specific requirements for this and your privacy notice must be written in such a way that it’s accessible to children as well as adults.

MakeUrMove will be updating our terms and privacy policy and providing this to our customers, however, many landlords don’t have a website for their property portfolio so this may need to be sent out individually to all parties.

A sample privacy notice can be found on the ICO website here.

What are the rights of the data subjects and how does this affect landlords?

You need to demonstrate how data subjects can exercise their GDPR rights as a landlord. Their rights include:

• The right to be informed - landlords must provide a privacy notice.
• The right of access - landlords must provide a mechanism to access the subjects personal data and you can’t charge for this unless the request for this data is excessive.
• The right to rectification - landlords need to ensure that if there is a mistake in the data then the individual can have it rectified. The data controller must then recurse this to everyone processing the data.
• The right to erasure. (Right to be forgotten) In certain circumstances, individuals can ask you as a landlord to erase their personal data and to prevent you from processing it.
• The right to restrict processing - As a landlord, you must restrict the processing of data where the data subject requires the material to bring/defend legal claims after it is of no use to the data controller.
• The right to data portability - you need to consider the format in which you hold and store data as to whether it is easily transferable.
• The right to object. (Opt out). If the data subject objects to direct marketing, holding the data for legitimate purposes, or holding it for historical, scientific or statistical purposes, landlords must stop the use of the material until the legitimate reason for the data processing can be established.
• Automated decision making/profiling - If you engage in automated statistical profiling or decision making, then you should obtain the explicit consent of the data subject. This shouldn’t affect too many landlords.

Landlords must notify where security is breached

Data controllers must notify the ICO if there is a breach of personal data. This breach could be in the form of:

• Destruction
• Loss
• Alteration
• Unauthorised disclosure
• Access to personal data

Landlords should inform the ICO within 72 hours of the loss or face a potential fine for not doing so. You should also inform the data individuals, however, this isn’t a requirement in all cases.

Why landlords need to ensure data processors are compliant

As a landlord, you are likely to be a data controller. In these circumstances, you are required to ensure that all data processors, that’s any person or organisation that process data on your behalf, are themselves compliant.

One of the major considerations is whether data is transferred outside the EU. At MakeUrMove we process the majority of data within the EU, with our servers being located in Ireland. However, we do work with a handful of data processors for some specific tasks who fall outside the EU and we’ve had to undertake additional checks to ensure compliance and security.

Creating a Data Processing Contract with Third Parties

Data controllers and data processors must have a contractual agreement in place which outlines the relationship between the two parties and their relationships and responsibilities over the data. We have been updating our privacy notice and terms as part of our contractual agreement with landlords using our service and it’s important landlords take the time to review them in line with the email comms we’ve been circulating amongst the landlords who use our service.