The GDPR is looming and comes into force on May 25.
Many businesses are woefully under-prepared, with a recent government survey finding that 60% of UK businesses were entirely unaware of the GDPR, and that of the 40% who were aware, just 27% had actually done anything about it.
There has been a certain amount of scaremongering about GDPR and this article is certainly not going to add to this, but it is important for property agents to prepare for GDPR and make sure they are processing data in the right way.
Fines under GDPR can potentially be a lot higher but the reality is that the Information Commissioner’s Office (ICO) will issue proportionate fines and will likely be fining in the range of tens of thousands of pounds. However, that is still a fair bit of money for many businesses to lose.
The ICO has been clear that it does expect businesses to comply with GDPR and so simply ignoring the problem until someone in authority writes to you is not the correct answer, but you will not need to be a model of GDPR perfection on May 25.
If you can demonstrate that you are aware of GDPR and have taken clear, practical steps to comply with it, then the ICO will be likely to offer advice on how to correct any outstanding problems rather than levying fines.
What is needed?
The GDPR has a range of things that need to be done to comply. The steps below are not everything you need to do, but if you do them you will be moving in the right direction and will be likely to have done enough to meet the minimum standard that the ICO will expect of agents after May 25.
Agents will generally be controllers of personal data belonging to data subjects under the GDPR and so they will need to comply with the rules. The first thing to do is accept that this is a serious issue and make sure that a senior person is appointed to take charge of it.
Next you need to identify which of the lawful processing bases you are using for each data processing activity. For most agents this will be one of:
- Contractual obligation: you have entered into a contract with the data subject and you need to process their data to fulfil the contract. This would normally include landlords and property vendors.
- Statutory requirement: you are subject to an obligation in a law which requires you to process the data. This would include money laundering checks and the right to rent.
- Legitimate interests: this covers a range of needs which are required to protect the legitimate commercial or other core interests of the controller or someone else. This would include processing data to carry out repairs to tenanted property or asking for details of a person before agreeing to do a viewing in order to protect staff.
Consent has attracted a lot of interest but it is very much a last resort and should not be used where some other processing basis exists. At the moment a lot of people seek consent in their terms of business or elsewhere for processing which is covered by some other basis.
This gives an entirely false impression as it suggests the service might be offered, but without using the data in a particular way if consent is not given. It is contrary to guidance and should not happen.
Consent will be needed to marketing, though, and it may be necessary to review your marketing databases. Consent must be explicitly opt-in and must be specifically given for a specific marketing activity. If existing marketing databases are reliant on implied consents or consent that was obtained because someone did not opt out, then they cannot be used after May 25.
However, you can use them now in order to obtain a better consent that will be effective after 25 May.
Once the correct processing basis is identified, then each data subject must be given a privacy notice at the time their data is collected, setting out a range of key information including:
- Who is collecting their data
- What they are using it for exactly
- Who else will be given the data
- What the consequences for them are of the processing
- When the data will be deleted
- Their various rights
- How they can complain
This need not be a long document and the ICO encourages them to be short. It can be placed on your website and data subjects referred to it.
It is important to consider your processor relationships. Some agents may think they do not have any data processor relationships, but they are very likely to be wrong. Anyone who is processing personal data obtained by you to help fulfil your obligations will be a processor. This will include:
- Your email service provider
- Inventory clerks
- Plumbers and other tradesmen
There will be many others. It is an absolute requirement under the GDPR for controllers to have binding contracts with data processors which meet a range of specific obligations.
Finally, staff awareness and training are key. Every staff member is responsible for GDPR compliance and it is important that they are aware of the obligations, aware of their responsibility to meet them, and aware of the internal procedures that are being put in place to comply with GDPR.
What if it goes wrong?
GDPR has important obligations around breach reporting. Not everything is a data breach, but if you lose or compromise a data subject’s data in a way that puts them at risk of loss or damage (including non-financial damage) then you will need to report it.
This will not include minor matters but will cover a lot of data breaches. The reporting deadlines for these are tight. You must make a report within 72 hours of becoming aware of the breach. It is important that this deadline is adhered to as the ICO will penalise attempts to hide from your obligations or to avoid telling them about problems. Early reporting and honesty are key elements in avoiding fines.
The suggested actions above are a start. However, this is not everything you need to be aware of and agents should take prompt steps to upgrade their knowledge. The GDPR is not just something that needs to be dealt with by May 25.
It is an ongoing responsibility which will require agents to keep abreast of changes and make sure their staff are aware of the obligation and following the necessary procedures.
I have teamed up with Keysafe to create a new online GDPR training system for agents at www.plenumo.co.uk.
You can try a free course there to see what the system is like and then obtain an annual subscription providing training for you and your staff and a range of useful resources to bring you into compliance with the GDPR.
* David Smith is a specialist housing lawyer with Anthony Gold solicitors