General Data Protection Regulation (GDPR) is now here!
GDPR has been introduced essentially to deal with the notoriously poorer uses of individuals personal data by companies such as Facebook, Amazon, Google etc. It certainly isn’t aimed at private landlords!
However, this doesn’t mean that landlords get off lightly.. the legislation means that landlords must process tenants’ personal data in a much more detailed and secure way than those pre GDPR days..
Processing Personal Data
The whole letting process means that it is impossible to be a compliant landlord or agent and not process some personal data. This is now much more relevant if you are a landlord who uses a tenant find or let only service through a letting agent and then chooses to manage the property themselves.
Personal data can be stored in lots of different ways; on a computer, on your smartphone or tablet or on a cloud up in the ether somewhere… however, it can also be paper based; in a ledger, or a notebook, maybe in a lever arch file or even on a post it!
The 6 Lawful Bases for Processing
There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
For a private landlord managing his/her own property, ‘Contract’ is the overriding reason that the personal data of a prospective tenant/tenant would be held.
However, care must be taken to prevent you crossing the boundaries of ‘Contract’. For example, it is reasonable for landlords to record an applicant’s information if they have applied to rent a property from you. However, you would need ‘Consent’ from them if you were going to do a reference check and pass their information on to a third party as part of that process. Under GDPR, this consent needs to be explicit – you need to have a record (e-mail, text, signed document etc.) of their ‘opt-in’ to prove that consent has been given.
It would also be acceptable for landlords to contact current tenants about their tenancy (contract), or previous tenants regarding their tenancy, for the return of a deposit for example.
Be careful… if a tenant has agreed to be contacted in an emergency, for example, this does not mean they have given consent for you to do anything else with their details. Under GDPR you always need to consider that you should only be processing personal data for things that they would reasonably expect. Think about why the data was given to you in the first place.
A common sense approach should ensure that GDPR is adhered to when handling personal data:
Physical Safety – Keep data in a locked cabinet or safe. Paperwork, external hard drives, USB sticks and anything else that carries personal data.
Digital Safety – Password protect your mobile phones, computers and other devices. Fingerprint scans are also available on many smartphones.
Organisation – Keep track of each tenant’s data and permanently delete anything you don’t need. A previous tenant can ask you to delete all the information you have about them, however, be sure to comply with any legal requirements to keep the data – HMRC records, for example.
The most important thing to remember, however, is to keep a written record of the actual consent – a signed document though a text message, email, fax, or digital log will be adequate.
Property maintenance via contractors tends to require some sharing of tenant details. Under GDPR you are responsible for ensuring that any data you share is secure. You should ensure that their Terms of Service include acknowledged responsibilities for GDPR.
The ICO (Information Commissioners Office)
The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Unless you have a significant property portfolio, it’s unlikely that you need to register with the ICO. However, if you do suffer a breach that compromises any personal data, you will need to report this to the ICO within 72 hours, as well as advising the individual.
Off-premises, cloud-based data is always going to be much more secure than anything you could achieve locally at home or in an office. At Professional Properties, we have been using this method of data storage for a number of years. Using a cloud-based service also passes the burden of GDPR to the provider.
The Private Rental Sector has been bombarded recently with all manner of legislation changes, tax reforms and regulations. GDPR is now something else for landlords to contend with.
If you are a self managing landlord and would like to discuss how a bespoke management service could help you, please contact us NOW on 01332 300115.