The short answer is yes. Even if you don’t consider yourself to be running a business, only have a few properties or if the ones you have are managed by a lettings agency, you must still adhere to the new GDPR rules. However, the extent of its affect depends on how compliant you/your business or the agencies that handle your client data is with the current data protection laws. The new General Data Protection Regulation (GDPR) came into play on 25th May 2018, though it has been in the pipeline for two years now giving everyone a chance to process the changes and comply. The GDPR is an update on the current data protection laws that were created in Europe in 1995 and in the UK 1998 before the internet really became the internet. GDPR seems timely in light of the recent Cambridge Analytica scandal that has served to show just how powerful personal data can be.
Under the new laws, individuals, organisations and companies are classed as either ‘controllers’ (decides how and why personal data is used) or ‘processors’ (uses the data on behalf of the controller) of personal data. The data itself can be classed as either ‘personal’ i.e. anything that can be used for identification purposes such as a name, address, email, IP address etc, and ‘sensitive’ data i.e. religion, political leaning, sexual orientation etc. Both could be misused with far-reaching consequences for the individual involved so the GDPR is there to give the controllers and processors a set of guidelines on how to best handle personal data.
Here’s what you need to know
All businesses and organisations need to better safeguard and manage the data they hold on their customers. For landlords this applies to all tenants, past and present. The data you hold will fall into the ‘personal’ category such as name and contact details but also, likely the ‘sensitive’ category such as salary information, marital status and sexual orientation (especially if it is a couple sharing the tenancy). The GDPR (as with the data protection laws that preceded it) expects you to handle this data respectfully. The difference now is that there’s greater authority to enforce responsible data handling and fine bad behaviour if necessary.
All landlords should be registered with the Information Commissioner’s Office (ICO) even if they are based overseas. GDPR is a Europe-wide directive and, though the UK is due to leave the EU, the UK is following Europe’s lead and implementing the thorough data protection amendments. This means all data will be stored and processed under the GDPR’s laws for EU and UK citizens and just because you may live outside the UK or Europe doesn’t mean the GDPR doesn’t apply to your property lettings and the data you will have collected on your tenants.
It is important to also note that while the landlord is not responsible for ensuring partner agencies, such as letting agents, service suppliers and property management companies, are GDPR compliant, it would reflect badly on the landlord in the eyes of the ICO if the landlord had not checked that they were. The onus is on the business or company to handle data respectfully and to show that they understand that responsibility, and that extends to any partner agencies they are working with.
The ICO will be responsible for enforcing GDPR in the UK. It can fine businesses for non-compliance, for security breaches, for mishandling an individual’s data, for failing to allow individual’s access to their own data, for failing to remove an individual’s data on request etc. Furthermore, the fines can be 2% of a business’ turnover or €10m (whichever is greater) for a minor offence or 4% of a business’ turnover or €20m (whichever is greater) for a major offence.
While this may sound scary, the reality is the ICO is more likely to fine as a last resort and be more lenient with businesses that have tried to comply with the new rules. Even Elizabeth Denham, the UK’s information commissioner in charge of enforcement, noted that there had been much ‘scaremongering’ and that it was unwarranted.
While the new GDPR is largely the same as the previous data protection laws there are a few changes:
- People can now request the data your business holds on them, for free and can expect this information within one month of the request
- An individual has the right to an explanation of any decision that has been made about them. This includes confirmation of data accessed about them from other sources
- An individual can request the data your business holds about them be erased or that you cease to use it, especially if it is no longer needed for the purpose it was collected, for example, a past tenant
- Your business has to show a clear consent from an individual for their data you have collected, stored and used
- Your business has to show clear justification for any data it has collected, stored and used (this should be laid out in a publicly accessible data protection policy)
- Your business has a responsibility to store data safely (is your technical security up to date? Have those handling that data had any data protection training?) and not share it with third parties without the express consent of the individual it relates to
- Your business should have a data breach plan; i.e. how to safeguard the data and what recovery and damage limitations are in place should a breach occur. Your business now also needs to report any breach to the ICO and the individuals affected within 72 hours of the breach
- Under current law you should already have a data protection policy but this now needs to include how the customer’s details are processed and a legal explanation of the business’ reasons for doing so.