The General Data Protection Regulation comes into force in May, replacing the Data Protection Act and creating new responsibilities for businesses including PRS landlords.
Landlords and agents are now preparing the groundwork for this and the RLA’s Landlord Advice Team has received a number of calls on the topic. This week’s call was a typical one that asked about the basic requirements.
The member who called was unsure as to where to start when to came to implementing the new rules. We explained the initial steps they should be taking.
By May 25th 2018 all landlords and agents need to ensure their business is compliant with GDPR. This means auditing how their customer’s personal data flows in and out of the business, checking with any third parties they share information with to make sure they are GDPR compliant, preparing a privacy notice to provide to customers, and developing a data protection policy that sets out how tenants’ details are stored.
The results of this process will be unique to each business’ data protection usage so specific answers on exactly how to comply with GDPR are in short supply for landlords and agents.
Instead they must assess their own business and show that they have thought through the specific requirements GDPR places on them.
Over the course of the next month the RLA will be publishing a number of guides and documents to assist members in going through this process.
One thing that was certain (until recently) was that landlords and agents would not need to register with the Information Commissioner’s Office (ICO) as part of the GDPR requirements.
This was a change from the old rules where the RLA took the view that landlords and agents must register with the ICO as part of their data protection requirements.
Unfortunately, this has now changed. The government has introduced additional legislation that makes registration with ICO a statutory requirement.
A fee of £40, £60 or £2,900 is to be paid annually as a registration charge, though most landlords and agents who register now will pay only £35 for the year.
We advised the landlord that along with registering, they should start at the beginning by doing a full audit of all the personal information that flows into the business, how it is used, and how it is disposed of.
We also advised them that they would need to keep good records of this as ICO can ask to see the process by which they came to their final data protection policy. Much like a maths test at school, the GDPR requirements insist that you show how you came to your answer.
This gave the landlord a solid basis to start with and they left to start stage 1 of GDPR compliance.
Rupinder Aujla, LAT manager said: “The requirements of the GDPR can be quite intimidating so it’s good to break down what you need to do into stages. With less than two months to get ready this will break the work down into more manageable chunks.’
Want to learn more about GDPR? The RLA is hosting Future Renting North conference at the Concorde Conference Centre this April, which includes an update on upcoming legislation from RLA Policy Director David Smith. Find out more and book tickets here.