The General Data Protection Regulations (GDPR) are in force from 25 May 2018. The Information Commissioners Office (ICO) is the supervisory authority responsible for data protection. The regulations are intended to give people greater control of their personal data, requiring organisations and businesses to be accountable and transparent for the processing of that data.
Who does it apply to?
Businesses, organisations and governments within the EU and those outside the EU who process EU residents' data. A private landlord is classed as a business and therefore must comply with GDPR and register with the ICO.
What is Personally Identifiable Information?
Personally identifiable information refers to any information relating to an identifiable person who can be directly or indirectly identified; this is also known as ‘personal data’. This may include a name, bank details, right to rent documents, an email address, location data (IP address) thus reflecting the changes in technology and the way in which organisations collect information about people since the introduction of the Data Protection Act 1998.
Personally identifiable information also refers to sensitive information that relates back to a person, for example, the salary information of a prospective tenant along with their name would be classed as personal data. The fact a tenant is looking for a property in London would not be personal data.
Roles within GDPR
Within GDPR there are two roles that are important to understand. The role of the ‘controller’ and the role of the ‘processor’. The controller determines the purpose for which, and the manner in which personal data is processed, therefore making the decisions. The processor is responsible for carrying out the controller’s instructions and is limited to the scope of those instructions and must not process the data any further. GDPR places specific legal obligations on the processor. The processor will have a legal liability if they are responsible for a breach. Controllers will need data processing agreements with processors stating what can and cannot be done with personal data the processor is processing.
The ICO’s Guide to the General Data Protection Regulation defines: a “data controller as determining the purposes and means of processing personal data and a data processor being responsible for processing personal data on behalf of a controller”.
What is processing?
Processing is collecting, recording, storing, retrieving, using, erasing and the destruction of data.
What is consent?
- A lawful basis of processing and GDPR sets a high standard for consent but you will often not need consent.
- Consent offers individuals real choice and control, putting individuals in charge of their data.
- Consent should be obvious and requires a positive ‘opt in’, pre-ticked boxes, opt out boxes or any other method of default consent is not permitted under GDPR.
- Privacy notices must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.
- There is no time limit for consent. The length of time it lasts will depend on the context.
- It must be easy for people to withdraw consent at any time they choose.
The questions to ask are ‘should our processing be based on consent?’ / ‘do we require consent to process the data?’
Lawful bases for processing
There are actually six lawful bases for processing, of which consent is only one and you must have a valid basis in order to process personal data. Examples might include:
- Contractual fulfilment – most likely to be relied upon. A landlord provides their tenants’ contact details to the carpenter in order to repair the kitchen cupboard door, this would be contractual fulfilment, the landlord fulfilling his contractual obligations to repair the property.
- Legitimate interest – what the legitimate interest is must be identified and where a legitimate interest is identified this must be stated on the privacy notice. A landlord needs to ask themselves ‘are you using the personal data in a way in which the tenant might reasonably have expected when they gave you the data’. A landlord would have a legitimate interest in referencing a tenant as they need to ensure the tenant is financially suitable to take on the responsibility of letting the property.
- Consent – If you go beyond legitimate interest you may need to get consent. Consent is unlikely to be the most significant basis of processing within the private rented sector.
- Compliance with the law – the landlord provides the tenant's/tenants’ information to the deposit protection scheme in order to comply with the Housing Act 2004.
- Protecting vital interests – this is literally life or death and must be in the vital interest of the data subject as opposed to the business. It is not likely to be relied on much in the private rented sector.
- Public interest or official function – the landlord discovers the tenants are supplying illegal drugs from the property; this is not in the public interest therefore the landlord informs the police supplying them with personal data relating to the tenant.
What is a data audit and why is it required?
A thorough data audit (sometimes called an Information Asset Register) is the first step towards achieving GDPR compliance. You need to determine what data you hold, who is collecting it, how it is collected, why it is collected, the lawful basis of processing, who it will be shared with, how it is stored and when it will be deleted. As a private landlord your data subjects include maybe your agent (if personally named), tenants, previous tenants and contractors.
Being transparent and providing accessible information to data subjects about how you store their personal data is key; the way in which you can do this is by providing a privacy notice. Privacy notices are not new to GDPR; they are a requirement under the current Data Protection Act 1998. Privacy information is normally located at the bottom of a web page. The output of your data audit will be privacy notices.
Data Processing Agreement
Where a data controller engages a data processor the controller needs to provide the processor with a data processing agreement. Where data consists wholly or partly of personal data the law requires certain provisions to be included in the written agreement.
Subject Access Request
Currently, the Data Protection Act 1998 allows a business to make a charge of £10 and gives up to 40 days to respond to an individual’s request. GDPR does not permit a charge and the timescale has been reduced to within one month of receipt.
It is a breach of the regulations to destroy personal data accidentally, to lose it, to allow unauthorised alteration or to allow unauthorised access or disclosure. The legislation requires serious breaches to be reported to the ICO within 72 hours of the breach being discovered. Personal data breaches include sending personal data to an incorrect recipient, alteration of personal data without permission and loss of availability of personal data. Failure to comply with GDPR can lead to a fine of up to 20 million Euros or 4% of global annual turnover if that is higher than 20 million Euros.
Why does GDPR affect me as a private landlord?
As a private landlord you are processing the data of an EU resident and therefore, under GDPR, you are a data controller.
What do I need to do as a private landlord?
You will have the personal data of your tenant(s) and you will make decisions as to how the data is controlled and processed. You are required to register with the Information Commissioners Office, this can be completed online https://ico.org.uk/for-organisations/register/ there is a charge dependent on your size and turnover but in the majority of cases it will cost £40.00 per annum. You will also need to issue data processing agreements to anyone you deem to be a data processor for example, your IT support or your contractors. You will need to issue your tenant with a relevant privacy notice, informing them of how you process and manage their data.
You send the tenant an email to chase the rent arrears or contact them by telephone to arrange a property visit. In doing both of these activities you are processing data and will need to comply with GDPR. Your lawful basis of processing would probably be “contractual fulfilment”.
If as a let only landlord you instruct your agent to serve a section 8 notice on your behalf, you are the controller and the agent becomes the processor. The agent is not making any decisions, they are doing what you as landlord have instructed them to do in processing the data. The agent being the processor in this situation then becomes liable to you as the landlord, the controller of the data. Likewise you have responsibility for the processing by the processor.
If you give your tenant's/tenants’ details to the plumber, you have shared the data. The plumber becomes the processor and is liable to you as the controller. The plumber is only going to do what you have requested with the data, i.e. use the contact telephone number of the tenant to arrange access to the property and the address to locate the property in question.
You will require a data processing agreement with the plumber and the agent in the above scenarios.
Fact Sheet provided by our Letting Agent Support Partner Training For Professionals