The EU’s General Data Protection Regulation (GDPR) is coming into force on 25 May 2018. This means it will be in force in the UK despite Brexit and will apply to agents and landlords who handle client’s and tenant’s data.
GDPR will effectively replace the Data Protection Act 1998 and it is vital that agents and landlords comply with it to avoid possible enforcement action from the Information Commissioner’s Office (ICO). The ICO has published a 12-step handout and have set up an advice service helpline for small businesses in the hope that it will make implementation easier. The GDPR requires businesses to ensure decision makes and key members of staff are aware of the regulation, determine what information to hold and for how long, update procedures on subject access requests and what should happen in the event of a data breach.
The ICO is taking a lenient approach where businesses can demonstrate a positive approach to GDPR implementation. However, businesses that do not take any steps to change their processes and procedures are unlikely to receive such generous treatment.
Businesses will be one of ‘controllers’ and ‘processors’ and they should know which of these they are. Controllers decide how and why personal data is processed, while a processer is actually processing the data. So, a controller will usually be the letting agency as a whole and the processor the company that is processing a tenant’s credit reference check. A controller does not have to possess the data, they simply need to be the organisation directing how it is handled. All controllers are legally obliged to have a legally-enforceable, written contract with data processors that they are using which complies with the GDPR.
It is important that all organisations are fully aware of the lawful processing basis that they are relying on for each data processing activity. One of these is consent, but it is the least important of the processing bases and is only to be used where none of the other processing bases apply. Where consent is sought it needs to be specific and opt-in. Our previous detailed post on this can be read here. Details of when and how that consent was sought must be retained. The GDPR also ensures that people can ask for access to the personal data held by businesses at “reasonable intervals,” with compliance required within a month. Organisations must also ensure that they have a proper data protection privacy notice which sets out who is processing the data, the basis on which they are doing so, and the rights that individuals have around their data.
It is important to note that people now have the right to ask for their data to be deleted at any time if it is not relevant anymore. In the case of a tenancy data and when that becomes irrelevant the first issue to consider is the statute of limitations. Generally, documents should be kept for 6 years to comply with accounting and possible litigation issues. However, this does not mean that it is enough to simply store a whole file for 6 years and thereafter destroy it. Certainly, Right to Rent documents may not be needed beyond the 1 year so care and consideration will need to be taken on which documents to retain and for what period.
GDPR involves big changes for business and there is little time left to deal with it. More information is available on the ICO website here.