Why the new GDPR rules are important for landlords and a plan of action!

GDPR stands for General Data Protection Regulation and refers to the new Data Protection rules which will come into force on 25 May.

Now before you click away thinking “this does not apply to me” be aware that:

  • If you are a landlord it DOES apply to you (even if you just have one rented property), and
  • The fines for noncompliance are up to the larger of 4% of your turnover or 20 million Euros.

So if you get things wrong you could lose out big time.

The data in question is personal data. Information about people which if it got into the wrong hands could cause them untold damage. If you hold people’s data you are expected to look after it.

The new rules are a lot more onerous than the old and the deadline is creeping up on us. So if you are a landlord or a letting agent and have not started your preparation yet, here is a plan of action to help you.

  1. Make sure you are registered

If you are a landlord or letting agent – you should already be registered with the Information Commissioners Office. The Information Commissioner enforces the Data Protection rules.

Everyone who holds and processes (ie uses) data electronically needs to be registered.  There are very few exceptions and they probably won’t apply to you. If you are not registered, you need to get this done asap – check the ICO website here.

  1. Do a list of the type of data that you hold

So, for example, if you are a landlord or letting agent:

  • You will hold personal details about your tenants.
  • If you are a letting agent you will have details about your landlords.
  • You may also hold details about ‘prospects’ eg your mailing list, for example, if you regularly send information or promotional emails or letters out to prospective landlords or tenants
  1. Do a list of the places where it is held

For example, if you are receiving this post via email, then I will hold some details (your email address and maybe your name) on Aweber which is the software used to send most of the blog post mailings.  Or, if you have been subscribing for a long time, on Feedburner.

There will probably (particularly if you are a letting agent) be more than one place where you hold data – for example, your Customer Relationship Management (CRM) software, any separate service used to send out newsletters (e.g. Constant Contact or MailChimp), your accounts software, etc.

  1. Check that those places are GDPR compliant

If data is held online it should be on a secure site and be password protected. However, there is more to it than that. You need to contact your service to find out what they are doing.

Most of these services are fully aware of the new rules and should have a policy statement somewhere. Find out where it is and keep a record of it. Most reputable services will ensure that they are compliant by the deadline of 25 May.

But remember – if you input people’s data onto these services YOU are responsible for its safety as well as the service company.

  1. Check that you have permission from people to use their data in the way that you are using it.

For example, if Mrs A gave you her email address in connection with her application for a tenancy that does not necessarily mean that she gave her permission for you to send marketing mailings to her.

If you are using data from a purchased list to send out marketing emails you need to be very careful. Even if you created your mailing list in-house, it may be best to start again from scratch so you can be sure that you have everyone’s permission. This is what I am doing here.

Remember that it has to be an active ‘opt-in’. One of the purposes of the new rules is to reduce spam and unwanted mailings – so make sure that you can show that everyone on YOUR list has actively consented to get your mailings.

  1. Do a ‘privacy page’ on your website

This needs to set out in detail what you do with people’s data and inform people what they can do if they want to unsubscribe or get their data deleted.

My privacy page (still a work in progress) is here. Take a look also at the ICO privacy notice page here.

Once you have this set up you should link to it from all your mailings, particularly any automatic mailings.

  1. Appoint a Data Protection Officer

If you are a small firm or one-man band – this will probably be you!

The Data Protection Officer’s job is to monitor compliance, ensure that your employees are informed of their duties under the regs, and to be the first point of contact for members of the public contacting you about data protection issues, and also the authorities (i.e. the ICO). Generally, the Data Protection Officer will be responsible for compliance within your organisation.

They should be someone of reasonable seniority and have the authority to make any necessary charges.

If your organisation is quite large (or even if it is not), you should arrange for your Data Protection Officer to have suitable training.

Other things

Here are a few other suggestions.

Keep a diary or record of actions taken

Use this to record any work you do preparing for the GDPR so if the ICO contact you about a breach you can show them that you are taking it seriously.

Answer the ICO GDPR checklist.

You will find this here. Keep a record of your answers and review it from time to time. Maybe keep your answers as part of your diary. Again it will go to show the ICO that you are preparing as best you can.

Needless to say, take any action which is flagged up by the ICO checklist – do not assume that my checklist is the final answer! It is only a starting point.

Make sure that your tenancy agreements include suitable Data Protection clauses.

The Landlord Law tenancy agreements have had a separate Data Protection section for some time but I will be reviewing them again before May.

If you do not think you have adequate protection – get your tenants to sign a suitable form. I am developing one for Landlord Law members.

A few extra notes

  • You can no longer make a charge when people request a copy of their data, but you may be able to refuse in some circumstances (but check the law before you do so).
  • Although people will now have a ‘right to be forgotten’ they cannot require you to delete your data about them if they are a customer (where you will need to hold data for legal reasons)
  • Save where you need to retain information (eg for customers) y.o.u should make a practice of deleting information if it is no longer being used.

For more information

Please see the ICO website. My tips above are just a general guide and do not cover everything.  And remember – the new rules come into force on 25 May 2018.

NB A version of this article was first published in the Landlord Law Newsletter.