David Smith’s expert legal advice on GDPR: What ‘woefully under-prepared agents’ need to do

The GDPR is looming and comes into force on May 25.

Many businesses are woefully under-prepared, with a recent government survey finding that 60% of UK businesses were entirely unaware of the GDPR, and that of the 40% who were aware, just 27% had actually done anything about it.

There has been a certain amount of scaremongering about GDPR and this article is certainly not going to add to this, but it is important for property agents to prepare for GDPR and make sure they are processing data in the right way.

Fines under GDPR can potentially be a lot higher but the reality is that the Information Commissioner’s Office (ICO) will issue proportionate fines and will likely be fining in the range of tens of thousands of pounds. However, that is still a fair bit of money for many businesses to lose.

The ICO  has been clear that it does expect businesses to comply with GDPR and so simply ignoring the problem until someone in authority writes to you is not the correct answer, but you will not need to be a model of GDPR perfection on May 25.

If you can demonstrate that you are aware of GDPR and have taken clear, practical steps to comply with it, then the ICO will be likely to offer advice on how to correct any outstanding problems rather than levying fines.

What is needed?

The GDPR has a range of things that need to be done to comply. The steps below are not everything you need to do, but if you do them you will be moving in the right direction and will be likely to have done enough to meet the minimum standard that the ICO will expect of agents after May 25.

Agents will generally be controllers of personal data belonging to data subjects under the GDPR and so they will need to comply with the rules. The first thing to do is accept that this is a serious issue and make sure that a senior person is appointed to take charge of it.

Next you need to identify which of the lawful processing bases you are using for each data processing activity. For most agents this will be one of:

  • Contractual obligation: you have entered into a contract with the data subject and you need to process their data to fulfil the contract. This would normally include landlords and property vendors.
  • Statutory requirement: you are subject to an obligation in a law which requires you to process the data. This would include money laundering checks and the right to rent.
  • Legitimate interests: this covers a range of needs which are required to protect the legitimate commercial or other core interests of the controller or someone else. This would include processing data to carry out repairs to tenanted property or asking for details of a person before agreeing to do a viewing in order to protect staff.

Consent has attracted a lot of interest but it is very much a last resort and should not be used where some other processing basis exists. At the moment a lot of people seek consent in their terms of business or elsewhere for processing which is covered by some other basis.

This gives an entirely false impression as it suggests the service might be offered, but without using the data in a particular way if consent is not given. It is contrary to guidance and should not happen.

Consent will be needed to marketing, though, and it may be necessary to review your marketing databases. Consent must be explicitly opt-in and must be specifically given for a specific marketing activity. If existing marketing databases are reliant on implied consents or consent that was obtained because someone did not opt out, then they cannot be used after May 25.

However, you can use them now in order to obtain a better consent that will be effective after 25 May.

Once the correct processing basis is identified, then each data subject must be given a privacy notice at the time their data is collected, setting out a range of key information including:

  • Who is collecting their data
  • What they are using it for exactly
  • Who else will be given the data
  • What the consequences for them are of the processing
  • When the data will be deleted
  • Their various rights
  • How they can complain

This need not be a long document and the ICO encourages them to be short. It can be placed on your website and data subjects referred to it.

It is important to consider your processor relationships. Some agents may think they do not have any data processor relationships, but they are very likely to be wrong. Anyone who is processing personal data obtained by you to help fulfil your obligations will be a processor. This will include:

  • Your email service provider
  • Inventory clerks
  • Photographers
  • Plumbers and other tradesmen

There will be many others. It is an absolute requirement under the GDPR for controllers to have binding contracts with data processors which meet a range of specific obligations.

Finally, staff awareness and training are key. Every staff member is responsible for GDPR compliance and it is important that they are aware of the obligations, aware of their responsibility to meet them, and aware of the internal procedures that are being put in place to comply with GDPR.

What if it goes wrong?

GDPR has important obligations around breach reporting. Not everything is a data breach, but if you lose or compromise a data subject’s data in a way that puts them at risk of loss or damage (including non-financial damage) then you will need to report it.

This will not include minor matters but will cover a lot of data breaches. The reporting deadlines for these are tight. You must make a report within 72 hours of becoming aware of the breach. It is important that this deadline is adhered to as the ICO will penalise attempts to hide from your obligations or to avoid telling them about problems. Early reporting and honesty are key elements in avoiding fines.

What next?

The suggested actions above are a start. However, this is not everything you need to be aware of and agents should take prompt steps to upgrade their knowledge. The GDPR is not just something that needs to be dealt with by May 25.

It is an ongoing responsibility which will require agents to keep abreast of changes and make sure their staff are aware of the obligation and following the necessary procedures.

The plug

I have teamed up with Keysafe to create a new online GDPR training system for agents at www.plenumo.co.uk.

You can try a free course there to see what the system is like and then obtain an annual subscription providing training for you and your staff and a range of useful resources to bring you into compliance with the GDPR.

* David Smith is a specialist housing lawyer with Anthony Gold solicitors

x

Email the story to a friend

3 Comments

  1. Dom_P

    As with all things GDPR, this article isn’t entirely accurate and is re-enforcing the more negative aspects of the GDPR in respect of marketing.

    Your article states that marketing can only be done on a consent basis. Whiile in certain aspects this is true, there is also an option to use ‘legitimate interest’ as the basis for marketing. Indeed, the GDPR states that ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’. It’s fair to say an individual would have the option to object and opt out (and a business would need to consider the rights of the person they are marketing to), but fairly clearly you can do this without consent where you have identified a business or customer need to do so.

    Report
  2. dsns51

    Well your comment is not entirely accurate either.

    The recitals to thhe GDPR say that marketing *may* be a legitimate interest. Howver that is quite hard to demonstrate and you will not be able to do so in many cases. Direct marketing will be subject to the direct marketing code and is also subject to national legilsation. These have both yet to be finalised and there is no clear position that you can use anything other than consent.

    Given that if you need consent and do not have it you cannot use the database it is far better to seek consent now, pre GDPR, in order to preserve databases post 25 May.

    Report
    1. Dom_P

      I think we are both arguing the same point; the key is in the ‘may be regarded as…’ wording.

      It would be necessary to carry out a Legitimate Interest Assessment and ascertain necessity, whilst balancing the interests of the parties involved.

      In my opinion, were a customer to contact you regarding a particular property in a particular area, you could rely on legitimate interest to send them further marketing emails advertising properties in the local area that were similar, however you may need to ask for consent to market other products and services you may offer which are not linked to the main purpose of your business.

      My understanding is that there is some common sense here; if a customer would reasonably expect the marketing then Legitimate Interest is most probably acceptable.

      The problem with consent is that it can be withdrawn at any time and one could argue that if someone wanted you to help them move but refused consent for marketing you are in a catch 22 position of not being able to market property to them.

      Report
X

You must be logged in to report this comment!

Leave a Reply

Thank you for signing up to our newsletter, we have sent you an email asking you to confirm your subscription. Additionally if you would like to create a free EYE account which allows you to comment on news stories and manage your email subscriptions please enter a password below.