GDPR Essential Guide: Your Responsibilities and Five Tips for the Best Course of Action
We've created a General Data Protection Regulations (GDPR) guide on how the new legislation can affect landlords.
Introduction & Aims of GDPR:
This legislation intends to harmonise data protection laws across Europe and give individuals more autonomy over how their data is handled, imposing a new EU wide system of strengthening and building upon existing data protection regulations in the UK, these are being implemented by the government so that they will remain in place after we leave the EU.
The first important development of GDPR is its changes to the way consent is handled, introducing additional protections to privacy notices as well as more stringent measures around consent to process data. For landlords in particular, this will result in the need for more record keeping around property standards and tenants, as higher penalties will be the result of non-compliance; however the need to notify or register with an information commissioner will no longer be in effect.
It is important to note that there is nothing preventing you as a landlord from making these changes now, the guidance below aim to brief you and provide advice as to how to best handle the upcoming legislation.
Personal Data & Your Responsibilities:
Of course, while very few private landlords would need to pay much regard to the international aspects of GDPR, they are still classified as ‘data controllers’ meaning that they are responsible for how personal information is collected, used and stored. With landlords having always held a considerable amount of data on their tenants, such as their name, email address, employment details and benefit applications, the basic principles will not change. Landlords still need to ensure that they only collect and retain information for which they have a legitimate need, and should only hold onto it for a period of time necessary and appropriate, which is often prescribed by law in respect of tax records or right-to-rent.
Assessment of Changes:
Firstly, landlords must be much more active in respect of ‘consent’. By consent we mean ensuring that the tenant (or any individual in question) has actively granted permission for the landlord to collect, use and store specific data. The critical change is that landlords need to be able to demonstrate that active consent has been obtained (best done in writing) and that the consent covers the activity undertaken by the landlord. For instance, that consent has been granted for personal information to be retained for referencing purposes and the management of a tenancy. They will also need to make sure that a process exists for their tenants to withdraw consent, if appropriate.
Thirdly, if you are found in breach the sanctions could be substantial. Sanctions for non-compliance vary depending on the type of breach or contravention – but fines are permitted up to £20m or 4 per cent of worldwide turnover (whichever is greatest). Of course this is meaningless in the context of private landlords, but it amounts to the possibility of practically unlimited fines. Furthermore, GDPR allows for individuals to sue their landlord for compensation, if they believe data protection regulations have not been adhered to.
Collecting data under the new regulations:
Therefore, when it comes to dealing with new tenants or any individuals from whom you need to obtain data, you can make some minor tweaks to your practice to avoid falling foul of the Information Commissioners Office (ICO).
As mentioned above, consent gained from relevant individuals must be appropriate, when gaining this consent you must include the following fields:
• Your name, company name, and the name of any third parties who may rely on the consent to carry out any relevant work on your behalf;
• The purpose for collecting the data;
• What it will be used for?
• How consent for it to be passed on to third-party processors must be withdrawn;
• What personal data is being held?
• Is it accurate?
• Where it has originated and how would you securely delete it?
What you Should do, Top Five Tips for Landlords:
(1) Register with the ICO
Registering with the ICO is less of a top-tip, and more of a requirement if you are a data controller and not exempt from registration. The registration fee for most landlords is currently £35 per annum, although the fee structure is expected to change from April 2018. Registration provides access to updates, and training material to help with data protection compliance.
For further guidance, the ICO has also published advice on housing for landlords and tenants regarding common situations that affect landlords and tenants, in terms of handling with data. In some of these situations you would have to part with the data but always informing the tenant this is the case.
(2) Adopt a privacy notice
The simplest and most comprehensive way to meet the majority of your obligations under the GDPR is to adopt a privacy notice outlining the way in which you collect and hold personal data.
The GDPR says that information you provide to data subjects must be: Concise, transparent, intelligible and easily accessible, written in clear and plain language; and free of charge.
The notice needs to make clear the basics concerning how you will manage data. It should explain:
• What information is being collected?
• Who is collecting it?
• How is it collected?
• Why is it being collected?
• How will it be used?
• Who it will be shared with?
• What will be the effect of this on the individuals concerned?
• Is the intended use likely to cause individuals to object or complain?
You should also make sure that it clearly outlines how a data subject may withdraw their consent for you to hold and use their data in the future.
(3) Evaluate how you collect, hold, and use new data:
(4) Review all data you currently hold:
As a landlord you will undoubtedly hold a significant amount of personal data. It is important that you identify any records which contain personal information and apply the principles outlined in your privacy notice. I.e. what does the information constitute, how did you obtain it, how do you use it, and who has it been shared with. You must also verify that you have a documentary record of the data subject’s consent.
If you are in any doubt about being able to answer the questions above, and/or whether you have evidence that consent was given you must obtain fresh affirmative consent that you may continue to hold the information.
A simple way to do this is serve a copy of your privacy notice, explaining why you need to reaffirm their consent. By adopting this approach it will be easy to demonstrate that consent was granted for you to hold the information in question.
If you no-longer need the information, in relation to the purpose for which it was originally obtained, it should be securely and permanently destroyed (bearing in mind the need to maintain appropriate records for legal and tax purposes).
(5) Review all data processors you work with (third parties):
Finally, remember that your responsibilities do not stop with your own records. It will be necessary to share information from time to time with third-party data processors such as contractors and letting agents.
Most letting agencies and professional contractors will incorporate the required information into their standard terms of business, so it is a good idea to inquire about their plans to comply with GDPR and request revised copies of any relevant terms and conditions. You should keep a record of any responses received.
Above all, don’t panic! We hope this guide has been helpful in learning about the recent changes.
If you have any further queries or require more clarity on the topic please contact: Policy@landlords.org.uk
Like this article? Sign up to our free mailing list and join 35,000 landlords who trust us to deliver licensing and legislation updates, thought provoking news pieces, and practical property advice straight to their inbox.