The General Data Protection Regulations (“GDPR”) enters into force on 25 May 2018. For many large scale landlords, the past 6 months have been about preparation. The GDPR is a dramatic shift away from the old Data Protection Regulations and carries with it, large fines for non-compliance.
While the GDPR is European Law which has direct effect on the UK (at least until Brexit happens), the provisions will be enacted through a new Data Protection Bill. The provisions of the Data Protection Bill will apply exclusively in the UK although in the event of a dispute, the European Courts will have the final interpretation in the context of whether the UK has correctly applied the provisions of the GDPR. What’s important then is that anyone processing data understands both the provisions of the GDPR and the new Data Protection Bill.
What do you need to know as a Landlord?
The GDPR essentially governs the ways in which individuals, companies and organisations use personal or sensitive data. These parties will continue to be placed under a responsibility to protect data as either ‘controllers’ (those who hold personal data) or ‘processors’ (those who use personal data).
Whether a particular piece of data is personal or sensitive will be subject to fierce debate in some circumstances. However, for the purpose of the GDPR, Article 4 provides a non-exhaustive definition. For Landlords, this is likely to include the storage of tenant’s and guarantor’s names, telephone numbers, email addresses, date of birth, amongst other details. As a rule of thumb, if it can be used to identify a person, it will likely be personal information.
The principals require those who hold those items to hold them for a legitimate purpose and to process data only for the purpose it has been collected. Landlords will likely need to collect personal information in order to perform the contract of the tenancy agreement or to comply with its legal obligations (to satisfy that the tenant has the right to rend for example). Their right to do so for this purpose will remain largely unchanged.
Data may also be processed with the person’s consent if there is no initial legitimate purpose. If you plan to do this then it is important to ensure that you are able prove that the consent has been given. It is also possible for consent to be withdrawn so stay alert to this
The most profound change is in respect of the measures a data controller must take to protect the personal information it holds. This will mean that Landlords should ensure that the information they hold on tenants is kept in a safe and secure locations, if stored electronically, password protection might be prudent. It also requires Landlords to be organised, making sure that the information is kept for no longer than necessary and is kept in an organised and easy to access manner. The regulations place the burden of proving compliance on the data controller.
Your relationship with third parties will also require some consideration. Often, a Landlord uses contractors to carry out certain tasks on behalf of the Tenant. You should also ensure that personal data given out to these third parties will be recorded, in a safe and secure manner.
If a breach does occur, the data controller (i.e. you as the Landlord) is under an obligation to notify The Information Commissioner’s Office without undue delay. This will need to be done within 72 hours of becoming aware of the breach. Subjects need to be notified if it is determined that will suffer an adverse impact.
The GDPR will be enforced by The Information Commissioner’s Office in the UK. Possible sanctions will include a written warning in the first instance, regular periodic data protection audits, a fine of up to €20 million or up to 4% of the annual worldwide turnover (in certain circumstances).
Access rights for data subjects have also changed. A data controller must provide when requested an explanation of the categories of data being processed and a copy of the actual data. It will also become mandatory to inform the data subject of the purposes of the processing, with whom the data is shared and how it acquired the data. A right to erasure of personal data also exists.
It is crystal clear that Landlords should take note of the GDPR and how it affects their business. Failure to comply could lead to severe consequences.
If you are a landlord and need a more detailed explanation of how the GDPR might work for you, do not hesitate to get in touch with our landlord and tenant law specialists – call 01206 700113 or email [email protected]
Credit – blog post written by Lawrence Adams.