The General Data Protection Regulations (GDPR) come into force on the 25th May 2018.
Building upon the Data Protection Act 1998 (DPA), the GDPR will bring in much more stringent rules around the processing of personal and sensitive data. It will apply to every single business in the EU, and that includes landlords who receive a rental income from their properties, whether the rental is being run as a formal business or not.
The fines for non-compliance with GDPR are much more severe than those of the DPA: Up to 4% of your gross annual turnover (rental income) or even a criminal conviction so it is imperative you are aware of your responsibilities under the new legislation.
What is personal data?
Personal data is any information relating to an identifiable and living person who can be directly or indirectly identified from the data. It includes data online and in paper copy and includes, but is not limited to:
- Telephone numbers
- Email Address
- Postal Address
- ID number
- NI number
- IP Address
- Opinions about an identifiable person
- Employment information
What is sensitive data?
Personal sensitive data includes but is not limited to:
- Racial or ethnic origin
- Genetic or biometric data
- Political opinions
- Religious beliefs/beliefs of a similar nature
- Trade union membership
- Physical or mental health details
- Financial information
- Sexual life details or information/orientation
The GDPR (and the DPA previously applies to both “data controllers” and “data processors”.
What is a “data controller”? A data controller is someone who decides the purpose (reasons for) and means (method) of the processing of personal data.
What is a “data processor”? A data processor carries out the processing of personal data on behalf of the data controller.
As a landlord, you are both a data controller and a data processor. If you use an agency to manage your stock, they become the data controller and data processor on your behalf.
Do I need to register with the ICO as a landlord?
Anyone processing (which could include obtaining, accessing or storing) has a legal obligation to register with the Information Commissioner’s Office (ICO). If you follow this link: CLICK HERE you can answer a short set of questions which will confirm if you need to register or not. It is our understanding that if you are a landlord receiving a rental income from your property, you will need to register with the ICO and therefore this is our current recommendation.
Responsibilites under the GDPR and how to remain compliant
a) “processed lawfully, fairly and in a transparent manner in relation to individuals”
GDPR makes it clear that consent is very important. Before you ask your applicant or tenant for any personal information, you must gain their consent to store it, process it and share it. You must make it clear how it will be stored, how and why it will be processed and who it will be shared with. The best way of doing this is by writing a privacy notice, and asking them to sign to say they agree with the information you have given them.
b) “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”
Data that is collected for one purpose must not be used for any other purpose, unless you have sought express permission from the data subject. For example, if you take tenant details to reference them, you must not use them later to try to sell them something.
c) “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”
Only data that is required must be collected . The easy way to make sure you comply with this is to ask yourself: “Do I need to know this?” – if the answer is no, then you don’t need the data.
d) “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay”
You must take reasonable steps to ensure that the data you are holding is up to date and accurate. The easiest way to do this would be to check in with your tenants on a regular basis to confirm their details, for example when dealing with any maintenance at the property.
e) “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”
In our opinion, this is the principle that most landlords will fall foul of. Think of it like this: how many times, after a tenant has vacated your property. have you gone through your paperwork and securely destroyed or disposed of all of their personal data? I would suggest that a large majority of landlords do not do this – and rightly so – what if there are problems after the end of the tenancy? What if a claim is raised against you and have you deleted the information (and your defence?).
Our suggestion would be to include within your privacy notice that a tenants personal information will be stored securely for a period of your choosing (we suggest six years) after the end of the tenancy. If you believe there may be a future issue, perhaps even longer. GDPR states “no longer than is necessary” and therefore this is open to interpretation. The important issue here is gaining consent to do so at the start of the tenancy.
The Right to Rent legislation which is statutory law and overrides GDPR demands a landlord to hold a copy of identity documents for 12 months after the end of a tenancy so this must also be taken into account.
f) “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational meausures.”
This principle means that you must make sure that any personal data you hold is kept safe. This includes physical safety and online safety. The extent of measures obviously depend on the type of data you are holding, and the amount of damage that could be caused to the data subject in the case of a breach. Our suggestions for holding your tenants details safety are:
- Keep all files containing personal data in locked cabinets
- Never leave files in vehicles overnight
- Make sure you do not leave files behind in public areas
- Invest in anti-virus software and a firewall on your home network to prevent others from “hacking in” to your computer
- Keep computers password protected
- Change passwords regularly and do not share them with others
- Do not save personal data on “cloud” storage such as icloud or google drive – these are based outside the EU.
- Make sure emails containing personal data are sent with encryption
In addition, under GDPR the data controller “shall be responsible for, and be able to demonstrate, compliance with the principles”.
Under GDPR, you are legally obliged to report a data breach to the ICO within 72 hours of becoming aware of it, where feasible. You must keep a record of all data breaches. A breach can include:
- Unauthorised access by a third party
- Accidental action by a processor (for example, sending an email to the wrong person)
- Stolen computer
- Loss of data
For more information, visit the ICO website here or give us a call and we will be happy to advise you.