#ExpertView: Tessa's 2018 Legal Changes series - 3. GDPR
GDPR stands for General Data Protection Regulation and is all about the new data protection rules coming into force in May.
What is it and how does it affect you?
GDPR stands for General Data Protection Regulation and is all about the new data protection rules coming into force in May.
Now before your eyes glaze over completely and you switch off thinking ‘what's this got to do with me’, be aware that if you get things wrong after 25 May when the new GDPR comes into force, you could be fined 20% of your turnover or 20 million Euros if you misuse data. Serious money.
This is important and if you are a landlord or a letting agent - it DOES apply to you.
Why data protection rules affect you
Data protection regulations are all about ensuring that when one person or an organisation holds information about people, that information is held securely and dealt with properly.
People’s data is important. If it gets into the wrong hands, this can lead to identity theft which can cause people enormous harm. Both landlords and letting agents will hold data:
- You will hold tenants’ information - including ‘sensitive information’ which is often collected as part of a right to rent check. Indeed, the data you hold after doing a right to rent check is often all a criminal needs to carry out an identity theft!
- You may also hold information about applicants who were not granted tenancies.
- Letting agents will hold data about their landlords.
Registering with the ICO
The Information Commissioner’s Office (ICO) is the body which regulates data protection rules. Everyone who is subject to those rules must register with them - and this is something you need to do under the current law.
If you are a landlord managing your own properties or a letting agent and have not done this, you should register asap. You are risking a fine if you don’t.
If you use an agent and and do not yourself hold any details about your tenants i.e. financial, employment or personal details, you may not need to register.
If you are unsure whether or not you need to register it is best to check on the ICO website or speak to the ICO about this - and keep a record of their reply.
Registering is not onerous and the fee, for most organisations, is not expensive. You can do this via the ICO website at https://ico.org.uk/. This website also has a huge amount of help and guidance and I have always found the ICO staff to be most helpful.
Looking after your data
Data must be held securely. If it is held electronically, particularly if it is held in the cloud, it must be on a secure password protected system.
If there is a data breach, the GDPR require you to notify the Information Commissioner within 72 hours.
Using data
You also need to be careful what you do with that data after 25 May, it can only be used for the purpose it was provided to you for.
So for example, if someone gives you their email address to contact them if 1 Acacia Avenue becomes available to rent - this does not authorise you to send them marketing information about something else. You need to get their specific permission for that.
This is going to be very significant for agents who do email marketing using purchased lists. How can you prove, if challenged, that the people on the list actually gave permission for the marketing you are doing?
Note also that consent must be opt in. No more pre-ticked boxes or assuming that people consent if they don’t say ‘no’.
Other issues
Your organisation will need to appoint a Data Protection Officer (if you are a one-man band, this will be you).
You will also need to inform everyone whose data you hold, about their rights. The best way to do this is via a privacy page or notice on your website. I have one here (still a bit of a work in progress) and I am now linking to it from my mailings.
You should also take a look at the ICO Privacy page which served as a model for mine.
Then, the people whose data you hold have a right to ask for a copy of it - and after 25 May you will no longer be able to charge for this.
In many situations people can ask you to delete their data (the right to be forgotten) - but you can refuse (indeed you should refuse) if you need the data for legal reasons. For example, if they are a customer and the information may be needed by HMRC or in case of legal proceedings.
Note however, that if you are required to delete data you also need to make sure it is deleted from any third-party services that you may use.
Preparing for GDPR
The best thing to do is take a look at the ICO website GDPR section and follow their checklists. Keep a record of your answers.
In fact, you could set up a GDPR diary and record there everything you do to prepare for the new rules. Then if you are ever challenged by the ICO you can show them the diary and the work that you have done, to prove that you are taking steps to regularise your organisation.
Preparing for the GDPR can also be viewed as an opportunity. For example, I have created a free ‘25 Critical issues for Residential Landlords’ eBook for people interested in my service to download when they join my GDPR compliant mailing list here.
The eBook, although very useful in itself, also helps to promote my service. And new mailing lists tend to be more responsive than old ones.
What to do next
If this is the first time you have heard about the GDPR, you need to get moving. Check out the ICO website now and follow its guidance.
So long as you are making a real effort, I doubt whether you will in fact be fined horrendous sums for minor breaches.
But you will only be safe if there are no breaches at all!
Further information on this and other topics can also be found on my Landlord Law Blog at www.landlordlawblog.co.uk.
About the Author:
Tessa is a lawyer specialising in landlord & tenant law and runs the popular Landlord Law online service for landlords.
About Landlord Law
Landlord-Law Online is the brain child of landlord & tenant lawyer and author Tessa Shepperson. Landlord Law members join online and then gain access to the extensive information and documents provided in the password protected part of the site. There is also a member’s discussion forum where members can ask Tessa questions.
About TDS:
Tenancy Deposit Scheme (TDS) is a government approved scheme for the protection of tenancy deposits; TDS offers both Insured and Custodial protection and also provides fair adjudication for disputes that arise over the tenancy deposits that we protect.
We provide invaluable training in tenancy deposit protection and disputes for agents and landlords through the TDS Academy as well as joining with MOL to provide the Technical Award in Residential Tenancy Deposits.
TDS Insured Scheme: where a TDS member can hold the tenancy deposits as stakeholder during the term of the tenancy.
TDS Custodial Scheme: where TDS hold the deposit for the duration of the tenancy.
TDS Academy: TDS provides property professionals with invaluable training in tenancy deposit protection and tenancy deposit disputes.
TDS can only comment on the process for our scheme, other deposit protection schemes may have a different process/require different steps. Content is correct at the time of writing.
These views are those of the author alone and do not necessarily reflect the view of TDS, its officers and employees.