x
Menu Purple Frog Property

Property Investors Blog

What is GDPR? And what do landlords need to know about it?

- 9th May 2018
What is GDPR? And what do landlords need to know about it?

New European-wide data regulations explained

There are some serious changes afoot across Europe. These effect how every company collects, handles and destroys personal data.

As with all new pieces of regulation, there is a certain amount of settling in that’s required. While we’ve looked to ensure our data practices comply with the new regulations, we’ve also noticed that there’s as many interpretations as there are companies that are complying!

Based on our own research, here’s a guide for our clients and other landlords as to what’s required and what you need to know. Below, you will also find links to the Information Commissioner’s Office (ICO), which has detailed information on the regulations.

What is GDPR?

The General Data Protection Regulation (GDPR) is a Europe-wide regulation that ensures that individuals personal data is handled correctly by companies. As well as giving individuals more control in how their data is handled, it places extra responsibilities on those who handle that data.

As a landlord, you will handle tenants’ personal data.

The regulation is coming into force on 25 May 2018. While it is intended mainly for larger companies, all businesses, including sole traders, must comply.

In its essence, GDPR requires that companies and individuals that hold information on others:

  • Only collect the data that they actually need
  • Only use that data for its intended purpose
  • Keep it safe, at all times, especially when shared with third parties
  • Tell the authorities immediately if it gets lost or stolen
  • Delete the data when they no longer need it

Is it different to general data protection rules?

Yes.

The GDPR rules are interested in improving current rules as to how businesses (known in the regulations as data controllers) look after people’s data.

It also places greater responsibility on data controllers for the actions and policies of data processors they employ. Data processors are individuals or organisations that hold or manage data on a data controllers’ behalf. ‘Data processors’ are companies such as tradespeople who you pass information to so they can conduct work for you.

Am I a data controller?

Yes.

The definition of a data-controller is anyone either alone, jointly or with other persons who determines the purposes and manner in which personal data are processed.

That means, if you obtain personal information from a tenant, whether in a digital format or as hard-copy, you are viewed as a data controller.

What are my responsibilities as a data controller?

You are responsible for ensuring that the information you hold on your tenants is safe and secure.

Importantly, it means that you can only use information for purposes you have a legal right to carry out. I will cover this in a bit more detail later. A quick example would be you couldn’t use data you’ve obtained as a landlord to sell your tenants unrelated services from a business you manage.

GDPR means you have responsibility to determine the type of data you collect, why you need it and who and how other organisations should handle this data. This means you need to consider:

  • What personal data you need to collect. GDPR requires you to collect the minimum amount possible. For instance, you would not need a tenant’s driver licence number to supply them with a tenancy.
  • What legal basis you have for collecting the data (see below)
  • How you will use the data you’re collecting
  • How long you need to keep the data for – GDPR forbids data controllers from holding data indefinitely
  • Whether you need to pass data to a processor (for instance, a credit ratings agency)
  • Whether these third parties can handle the data in accordance with GDPR

In terms of third party companies, this would include Purple Frog, but also contractors, builders and other agencies. A good way to check is to ask for the processor’s privacy policy. I cover this in a bit more detail below.

What is lawful basis?

GDPR defines six different lawful bases that you can use to collect and process data.

It is the data controller’s responsibility to select and document which legal basis covers the collection of data.

There is no right answer, as several bases might apply, depending on the situation and the data collected. Importantly, data cannot be used other than under the legal basis it has been collected under, unless this is also made clear to tenants.

Not all bases will apply, but you may find that several fit different parts of your business. Looking at the data and the situation, it is up to you to select the most appropriate legal basis.

Again, you cannot tell tenants you are collecting the data under one basis then use it for something else.

What are the six legal bases?

1) Contract

For landlords this will probably be the most common reason to collect and process data.

Simply put, you are collecting the data in order to comply with your obligations as part of a contract, for instance an assured short-hold tenancy.

This legal basis also applies before a contract is established, so you can gather the necessary information with which to reach the agreement. An example of this would be referencing.

2) Legal obligation

This means you need to collect the data in order to fulfil a law or regulation imposed upon you. The clearest example of this is collecting ID in order to fulfil your legal obligations under England’s Right to Rent laws.

3) Consent

To use consent as your legal basis, the subject must have given their express permission to you, so you can process their data. The most common example of this would be signing up to an email newsletter.

The regulations forbid using consent as a precondition of service. This means that if consent hampers the effective processing of data, then perhaps another legal basis is required.

A rule of thumb is that, if the action you are going to perform is outside what a tenant would expect, you should probably ask their permission first. Consent must be freely and actively given. This means that companies cannot rely on ‘soft opt ins’ (Click here if you do not want to receive information) for consent.

4) Legitimate interest

Legitimate interest is the most appropriate when using data that people would reasonably expect. For instance, the data is already in the public domain. However, the data controller must be able to prove that processing has to take place and that legitimate interest passes three tests:

  • Purpose test: identify a legitimate interest
  • Necessity test: show that processing is necessary to achieve it
  • Balance test: do the individual’s interests, rights and freedoms override the legitimate interest?

These tests need to be documented and data controllers must be able to show that any activities have the minimum of privacy issues.

5) Vital interest

This would apply if processing the data is necessary to protect ‘the essential interests’ of an individual. It’s unlikely this would ever apply to a situation in the property market, as it covers such things as offering medical assistance.

6) Public task

Again, this is unlikely to be relevant to you as a landlord, as it relates to public authorities using data as part of their official duties.

What should I do when collecting data?

You are bound to find yourself in a situation where you need to collect data. For instance, for a new tenancy. This is especially true if you have a let-only arrangement with Purple Frog.

You will need to make the tenant aware of the legal basis you are using to collect the data. You must explain this clearly and keep a record that this has happened.

When you ask for the data, you must ensure that you give the tenants the following information:

  • Your name (and company name, if applicable)
  • The name of any company who will be carrying out work for you and who you will share the data with
  • Your legal basis for collecting the data
  • What the data will be used for (for example creating a tenancy)
  • How they can withdraw consent for the information to be processed (there are limits to withdrawing consent, if the lawful basis is not legitimate use or consent)
  • You will also need to think about what personal data you already hold. For instance, current or ended tenancies.

Make sure you are familiar with what personal data you hold, where it came from and whether you should delete it.

As I mentioned above, GDPR states that you cannot hold data forever. However, the regulation does not give an exact time. Thinking about things like tax returns or proof of use, under article 4, will help you get a sense of how long you can legitimately hold onto a piece of information.

You will need to document this reason, as well as the timeframe.

If you think that some of your data needs consent, but you are unsure if you have it, you will need to get consent again. Remember, consent needs to be actively given, so you can’t send a message that says ‘to give consent, do nothing’.

It is important to ensure you keep records of when consent was given and to what.

What if I ignore GDPR?

Unfortunately, ignoring the GDPR regulations is not an option.

The new regulations give consumers some new rights, which all data controllers must adhere to.

These are:

  • The right to access the personal data processed about them, along with the purposes of the processing and information on any transfer of their personal data to any third countries.
  • The right to have personal data rectified or completed if incomplete
  • In some instances, the right to have their personal data deleted early
  • In some instances, the right to restriction of processing of their personal data, so it can be stored but not used.
  • The right of data portability of some of their personal data, which means you would securely send data to another data controller.
  • Under certain circumstances, the right to object to processing of personal data. This is especially the case for legitimate use.
  • The right to withdraw consent at any time.

This means that individuals can complain if your data policies don’t comply.

The regulations also stipulate that data breaches need to be reported both to the ICO and the subject of the data breach.

That means that it’s important to ensure data is kept safely and in compliance with the regulations.

There are incredibly punitive fines for not complying. The maximum fine is €20,000,000, or 4% of worldwide turnover, which would ruin Christmas for many decades to come.

While it’s unlikely that a landlord would face the maximum penalties, there is a possibility to face fines of a size commensurate with that of the business.

The ICO has gone on record to say its initial response will always be carrot not stick, especially as these new regulations signify a big change for companies. That said, this is based on whether an errant company is trying to comply or is simply ignoring the new regulations.

What can I do to prepare?

Register with the ICO. The Data Protection Act 1998 requires every data controller (including sole traders, such as landlords) who is processing personal information to register with the ICO.

Ensure you have a privacy policy that you can share with tenants. To help, Purple Frog is updating ours and will share this with our clients shortly.

GDPR’s increased emphasis on getting data right means that it will be worth joining , if you haven’t already.

It costs £40 a year to be a member, but this will also give you access to help and advice. If you’re not sure whether you need to join or not, you can do their self-assessment quiz to make sure: https://ico.org.uk/for-organisations/register/self-assessment/.

Check that your suppliers / other data processors are able to comply with GDPR regulations.

As I mentioned above, Purple Frog is working hard to make sure that we are compliant with the new regulations. We will offer our clients every assistance to ensure you are compliant, too.

Find out more

ICO website: https://ico.org.uk/
ICO’s Guide to GDPR: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
EU GDPR website: https://www.eugdpr.org/

, , , , , , , , ,

Categories

  • Finance (17)
  • Market News (68)
  • Purple Frog (26)
  • Regulations (70)

    • Stay up to date with Purple Frog

    Tags

    additional licencing (6) Article 4 (4) Birmingham City Council (7) Bristol (4) budget (5) buy to let (4) buying property (2) capital gains tax (4) charity (2) Covid-19 (14) energy efficiency (3) epc (5) finance (2) government (31) HMO (24) Housing Act (3) investment (9) Landlord (41) legislation (32) maintenance (5) MEES (6) mortgage (3) new regulations (38) nottingham (6) nottingham city council (6) property (5) property investment (27) property investor (3) property market (4) property regulations (4) property tax (10) purple frog (5) regulation (34) regulations (3) rental reform white paper (6) rentersreform (5) right to rent (6) safety (7) section 21 (6) stamp duty (8) Student property (30) tax (12) tenant (7) tenant safety (3) UK law (14)

    How do you feel about Purple Frog?

    Trustpilot