GDPR stands for General Data Protection Regulation and refers to the new Data Protection rules which will come into force on 25 May 2018.
Now before you click away thinking “this does not apply to me” be aware that:
- If you are a landlord it DOES apply to you (even if you just have one rented property), and
- The fines for noncompliance are up to the larger of 4% of your turnover or 20 million Euros.
So if you get things wrong you could lose out big time.
The data in question is personal data. Information about people which if it got into the wrong hands could cause them untold damage. If you hold people’s data you are expected to look after it.
The new rules are a lot more onerous than the old and the deadline is creeping up on us. So if you are a landlord or a letting agent and have not started your preparation yet, here is a plan of action to help you.
1. Make sure you are registered
If you are a landlord or letting agent – you should already be registered with the Information Commissioners Office. The Information Commissioner enforces the Data Protection rules.
Everyone who holds and processes (ie uses) data electronically needs to be registered. There are very few exceptions and they probably won’t apply to you. If you are not registered, you need to get this done asap – check the ICO website here.
2. Do a list of the type of data that you hold
So, for example, if you are a landlord or letting agent:
- You will hold personal details about your tenants.
- If you are a letting agent you will have details about your landlords.
- You may also hold details about ‘prospects’ eg your mailing list, for example, if you regularly send information or promotional emails or letters out to prospective landlords or tenants
3. Do a list of the places where it is held
For example, if you are receiving this post via email, then I will hold some details (your email address and maybe your name) on Aweber which is the software used to send most of the blog post mailings. Or, if you have been subscribing for a long time, on Feedburner.
There will probably (particularly if you are a letting agent) be more than one place where you hold data – for example, your Customer Relationship Management (CRM) software, any separate service used to send out newsletters (e.g. Constant Contact or MailChimp), your accounts software, etc.
4. Check that those places are GDPR compliant
If data is held online it should be on a secure site and be password protected. However, there is more to it than that. You need to contact your service to find out what they are doing.
Most of these services are fully aware of the new rules and should have a policy statement somewhere. Find out where it is and keep a record of it. Most reputable services will ensure that they are compliant by the deadline of 25 May.
But remember – if you input people’s data onto these services YOU are responsible for its safety as well as the service company.
5. Check that you have permission from people to use their data in the way that you are using it.
For example, if Mrs A gave you her email address in connection with her application for a tenancy that does not necessarily mean that she gave her permission for you to send marketing mailings to her.
If you are using data from a purchased list to send out marketing emails you need to be very careful. Even if you created your mailing list in-house, it may be best to start again from scratch so you can be sure that you have everyone’s permission. This is what I am doing here.
Remember that it has to be an active ‘opt-in’. One of the purposes of the new rules is to reduce spam and unwanted mailings – so make sure that you can show that everyone on YOUR list has actively consented to get your mailings.
Note however that you do not need specific permission to ‘process’ your tenant’s data if you are using it in connection with their tenancy (such as writing to tenants about property inspections or arranging for essential repair work to be done) or if you are under a legal obligation to retain data, for example for tax reasons or under the right to rent rules.
6. Do a ‘privacy notice’ or have a ‘privacy page’ on your website
A privacy page needs to set out in detail what you do with people’s data and inform people what they can do if they want to unsubscribe or get their data deleted.
Once you have this set up you should link to it from all your mailings, particularly any automatic mailings.
If you don’t have a website, or when dealing with tenants, I suggest you have a printed notice which you hand it out to tenants, for example when you take their details when they apply to rent your property.
We have privacy notices which I have drafted for landlords and letting agents on my Landlord Law service.
7. Appoint a Data Protection Officer
If you are a small firm or one-man band – this will probably be you!
The Data Protection Officer’s job is to monitor compliance, ensure that your employees are informed of their duties under the regs, and to be the first point of contact for members of the public contacting you about data protection issues, and also the authorities (i.e. the ICO). Generally, the Data Protection Officer will be responsible for compliance within your organisation.
They should be someone of reasonable seniority and have the authority to make any necessary charges.
If your organisation is quite large (or even if it is not), you should arrange for your Data Protection Officer to have suitable training.
Here are a few other suggestions.
Keep a diary or record of actions taken
Use this to record any work you do preparing for the GDPR so if the ICO contact you about a breach you can show them that you are taking it seriously.
Answer the ICO GDPR checklist.
You will find this here. Keep a record of your answers and review it from time to time. Maybe keep your answers as part of your diary. Again it will go to show the ICO that you are preparing as best you can.
Needless to say, take any action which is flagged up by the ICO checklist – do not assume that my checklist is the final answer! It is only a starting point.
Make sure that your tenancy agreements include suitable Data Protection clauses.
The Landlord Law tenancy agreements have a separate Data Protection section for this.
Develop a Privacy Information Notice
You should also give your tenants a privacy notice which sets out how you use their data. We have one for Landlord Law members which landlords can use.
Note by the way that you do not need tenants consent to ‘process data’ for the purpose of their tenancy as you are in a contractual relationship with them so can do this as of right. Your privacy notice should explain this to them.
Find out more
This has far more information and guidance than I am able to give here. Plus we also have articles and FAQ on data protection issues. Find out about Landlord Law membership here.
A few extra notes
- You can no longer make a charge when people request a copy of their data, but you may be able to refuse in some circumstances (but check the law before you do so).
- Although people will now have a ‘right to be forgotten’ they cannot require you to delete your data about them if they are a customer (where you will need to hold data for legal reasons)
- Save where you need to retain information (eg for customers) y.o.u should make a practice of deleting information if it is no longer being used.
For more information
Please see the ICO website. My tips above are just a general guide and do not cover everything.
There is also further guidance for landlords and privacy notices for you to us on my Landlord Law online service.
NB A version of this article was first published in the Landlord Law Newsletter.