What is classed as personal data?
Broadly, “personal data” means any information which relates to an identified or identifiable individual. The property industry uses personal data across a range of day to day functions, both in an HR context, as well as in relation to other business functions. Therefore, dealing with staff and consultants, as well as landlords, contractors, suppliers and tenants, involves using and handling personal data.
Recent breaches of data protection have resulted in significant fines for the organisation at fault, such as the Glasgow-based property renovation company fined £80,000 for making calls made to people registered with Telephone Preference Service, which meant they had opted out of sales calls. It is therefore essential that property businesses understand and comply with the GDPR, as the GDPR will see fines rise to €20 million, or 4% of worldwide turnover, for non-compliance.
How will this affect property owners and managers?
Landlords need to be aware of their responsibilities in safeguarding tenant data, making sure it’s only passed on if they are legally entitled to do so, and not retaining it for longer than necessary. It may also be necessary to give tenants a privacy notice to tell them what can be done with data held and how it can be used. This can be done by a privacy statement or in some other way, such as included in the tenancy agreement
Landlords should notify (register with) the Information Commission’s office if they are holding/processing data; as well as providing their tenants with a privacy notice explaining how they process/use data which they collect on them.
The key areas of impact for property businesses will be around:
· rent and payment collection data;
· energy usage data;
· building and car parking security data;
· property occupancy data; and
· contracts between the property owner or fund manager and the property manager.
What does compliance mean?
Compliance with GDPR requires you to understand and record what personal data you gather, why you gather it, how you handle it, where you hold it and how you share it. Permission must be obtained when necessary to gather data and data subjects must be aware that their information is being gathered and what it will be used for. The data obtained should also be proportionate, kept up to date and accurate, and only held for as long as it is required. For many organisations, this will mean developing a raft of new processes and policies to ensure compliance.
In addition, GDPR introduces new rights such as the right to be forgotten and the right to move data held on subjects to another provider. It also introduces important changes to how and why consent to obtain data can be gathered and how this consent can be used.
GDPR also makes certain activities mandatory, such as:
• appointing a Data Protection Officer;
• providing new and existing staff with suitable training and additional support when required;
• conducting Data Protection Impact Assessments (DPIA) to design data privacy into any new systems and processes; and
• notifying the ICO within 72 hours of a data breach.
With less than six months to go, property businesses must:
· give careful consideration to what personal data they collect and how they use, share and otherwise process it;
· review their existing property management agreements to ensure that they meet the requirements of the GDPR, and properly allocate risk between the property manager and the fund or business contracting with the property manager;
· put in place those other policies, procedures and governance structures which will be needed – together with relevant training – to ensure on-going compliance.
These changes are likely to have a big impact on how property companies handle and use personal data in the future.
"Landlords need to be aware of their responsibilities in safeguarding tenant data, making sure its only passed on if they are legally entitled to do so, and not retaining it for longer than necessary."
Hannah Robinson from Glaisyers
DISCLAIMER: The statements, opinions, views and advice expressed in this article are those of the author/organisation and not of ENTIRELY. This article should represent information correct at the time of publication however whilst every care has been taken to present up-to-date and accurate information, we cannot guarantee that inaccuracies will not occur. ENTIRELY will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within this article or any information accessed through this site. The content of any organisations websites which you link to from ENTIRELY are entirely out of the control of ENTIRELY, and you proceed at your own risk. These links are provided purely for your convenience and do not imply any endorsement of or association with any products, services, content, information or materials offered by or accessible to you at the organisations site.