Major changes to data protection legislation take effect on 25th May. All landlords will be affected as they handle personal data. Here’s what you need to know to make sure you are compliant.
Data protection legislation has been around for a long time, but these new changes mean you must now pay a lot more attention to your responsibilities or you could face fines or claims by tenants for damages.
What is GDPR?
The new legislation is set out in the General Data Protection Regulation (GDPR).
It is based on existing rules, but there are a number of important changes which will affect landlords:
- A new right for the data subject to be given information about how their data is dealt with.
- Deadlines are set for the timing of providing this information.
- Where you rely on consent as the gateway for handling data there are more stringent requirements about obtaining consent.
- The need to record how you handle data and decisions you make around this.
- Greater emphasis on ensuring that data is held securely.
- Stricter enforcement of time limits for holding data.
- New rights for tenants giving them greater control over what happens to their personal data.
- Obligations to notify the Information Commissioner’s Office and in some cases the individual affected if there is a personal data breach.
There are some similarities with the existing data protection legislation but there are a number of important differences.
And while the new data protection requirements come from Brussels, they will still remain in force after we leave the EU.
What is personal data?
All kinds of information about an individual are considered personal data, e.g. their name, date of birth, national insurance number, contact addresses and car registration number.
Email addresses and IP addresses are personal data. The person who this related to – (for example your tenant) is called the data subject.
Personal data is mainly linked with electronic processing, e.g. computers, emails and mobile phones and text messages.
This is so even if the information was originally collected in handwriting. GDPR also applies even if you have an organised manual filing system.
Can I legally handle data?
It is important to understand that before you can handle or ‘process’ personal data there must be a legal “gateway” to do so.
The main gateways relevant to private landlords are:
- You hold the data subject’s consent which must relate to use for one or more specific purposes. It is wrong to think that handling personal data always requires consent. In fact, you are far better relying on other gateways.
- Data handling is necessary to perform a contract to which both you and the data subject are parties. This will cover many activities a landlord undertakes.
- To comply with a legal obligation (other than a contractual obligation). This would for example cover data handling around gas safety checks or protecting deposits.
- Where there is a legitimate interest in handling the data. These can be your own legitimate interests or those of someone else. This gateway requires a balance to be struck between this legitimate interest and the data subject’s rights so that a brief legitimate interests assessment must be carried out and recorded.
Importantly, not only must you have a gateway to handle data but in all cases (even where you have consent) you must comply with the data protection principles.
Data protection principles
The principles state that personal data must:
- be handled lawfully, fairly and transparently. This means information must be used in a way people would reasonably expect.
- be collected for specified explicit and legitimate purposes.
- be adequate, relevant and limited to what is necessary.
- be accurate and up to date.
- be stored on a time limited basis.
- be handled in a way which ensures appropriate security.
Deadline for action
The deadline date for acting is 25th May 2018 when GDPR comes into force.
The new requirements apply to both existing and new tenancies which start after that date.
Each new tenant or prospective tenant must be given a privacy notice. Sample privacy notices for both England and Wales will be uploaded to the RLA site in the coming weeks.
What do I need to do to be compliant?
The first thing that you need to do is prepare and issue a new privacy statement. To help prepare this privacy statement you will need to review what personal data you hold, why you hold it, the legal gateway for doing so and how you use this data, as well as how long you keep it.
You need to put in place a system to make sure that you provide your tenants and anyone who wants to rent from you with this privacy notice.
If you rely on consent as the legal gateway to handle data you need to familiarise yourself with the new rules around obtaining consents which are much more stringent.
You will need to document the process which you use to obtain consent.
If you currently rely on consents it is safer to start all over again to refresh existing consents where they are needed.
Rather than rely on consents you may well want to look at whether there is an alternative legal gateway available, so that consent is not needed at all.
You need to put in place a process for recording the decisions you make about handling personal data.
You need to review your security arrangements for personal data which you hold at the same time.
You need to make sure that access is restricted to those who need to handle the data, it is password protected and that computers and mobile devices are kept secure, as a minimum.
What is the RLA doing to help landlords?
The RLA has a “Landlords Guide to GDPR Compliance” on its website which tells you in detail what steps you need to take to comply and how to take them.
The RLA will also be producing model documentation including a Data Audit Checklist and Privacy Notice.
It must be stressed that these are example documents which you can use to produce your own customised documents to suit your own ways of working.
Ensuring compliance has to be your own responsibility and, if need be, you should take your own appropriate professional advice.
Further, the RLA cannot assist on any data protection issues outside the landlord/tenant relationship.
The new guidance and documentation will be available on the RLA website in the coming weeks and will be shared with members by email and on our campaigns and news centre.
The RLA is also currently running a free online GDPR course for all members, with non-members also able to sign up for just £10.
This article was first published in the RLA’s members magazine Residential Property Investor.