|Posted on 22 May, 2018 at 7:45|
What are the implications of GDPR for landlords? Everyone's asking at this time with the regulation coming into effect on May 25th.
The short answer is: Not as much as you might fear. This summary is intended as a pragmatic briefing for landlords to be able to carry on their business and remain compliant.
Why are there not a lot of implications for landlords? Because if landlords are already compliant with existing data protection regulations, there's little extra to consider.
The main concerns of data protection and GDPR are 'Who you share'other personal data with, and that data is used for the 'purpose' for which it was obtained - subject to certain exceptions mentioned below.
(1) Registering with The Information Commissioners's Office each year at a cost of £40.00. Existing and in future.
If the landlord processes / stores personal data electronically (would include keeping tenants numbers on your phone) then you should register.
It could be considered a matter of scale and personal judgement. Are you a landlord with a few properties where you keep paper copies of certain documents such as tenancy agreement, gas safety certificates in a file or folder?
If the landlord can operte their business in the above manner, then registering with the ICO can be legitimately avoided (see www.ico.org.uk Registration Self-Assessment).
If you complete this self-assessment -
Q1. Do you use CCTV for crime prevention? If answer NO and
Q2 Are you processing personal information? If answer YES (which ALL landlords do) and
Q3 Do you process the information electronically? If answer is NO
then you are under no obligation to register, although you may do so voluntarily.
(2) Under GDPR, all landlords will be data controllers and will collect / use/ process and store necessary information securely and without improper disclosure. (This is what landlords already do).
One of the main principles of GDPR that will affect some businesses and probably estate / letting agents, is that data may only be used for the purpose for which it was collected and with the specific consent of that person. In other words, a business or agent couldn't store client details and mass-mail them about an unconnected matter / offer.
As a data controller, there are up to 6 lawful basis upon which data may be processed. Landlords will use up to 4 of them. You don't have to pre-specify which individual ground different items of information are being collected, viz:
CONSENT - Tenants provide personal data on request. S/he can withdraw this consent, but if there's another lawful reason why a landlord requires to retain it (legal obligation or legitimate interest) it may be retained.
If the data subject (tenant) asks for information to be removed / deleted, and a landlord has one of the lawful basis for retaining (see below), they should be told they can complain to the Information Commissioner.
CONTRACT - Collecting details to decide / form a contract (tenancy agreement).
LEGAL OBLIGATION: For example Right to Rent, HMRC and compliance with various regulations and legislation. Court action for tenancy issues - Possession. A civil action can be brought up to 6 years after an event and retaining information about a tenancy could be justified on this ground.
LEGITIMATE INTEREST: Notifying legitimate interested parties , e.g. council tax and utility providers.
Landlords will require a LOT of personal data, financial, credit, next of kin, employment, etc, etc. in order to make a business decision on granting a tenancy, and GDPR does not prevent this. Just store it and use it in accordance with the above.
(3) Data must be kept safe and secure. If a landlord was storing personal data electronically, then the device should be password
- protected. Storage in paper form in secure location in a locked cabinet. Most houses are hopefully secure.
(4) Third parties processing / passing information requires and always has the consent of the subject unless another lawful basis applies. This isn't rocket science and if a tenant reports a plumbing issue, landlord would e-mail tenant (thus keeping a record) if they agree to their contact number and name being provided to a plumber. Otherwise there are going to be a lot of 3-way conversations on arranging suitable appointments.
Having provided this information, the data processor (landlord) has to be assured that the third party is data compliant.
The legislation suggests that you should ask for a copy of the contractor's data management policy before disclosing data.
For longer term relationships such as letting agents, data policies should be requested (and retained) for assurance that each are complying with the data protection principles. But for ad-hoc repairs - are landlords going to contact various plumbers and ask them to e-mail their data protection policy before the customer's details are provided? It can be hard enough to get a plumber already!
Landlords can pragmatically comply with the spirit of the legislation by asking the contractor via e-mail to delete the contact details of the tenant on completion of work. As a business with similar obligation for accounting as landlords, they will have to retain the address and landlords contact / payment details, which you will of course have consented to.
A Data Privacy Fair Processing Notice should be given to a data subject (tenant) explaining how you will handle their data.
Accent Lettings & Management can provide you with a sample copy of a GDPR Data Privacy Fair Processing Notice - just ask us (you don't have to be an existing client).