From 25 May, the EU General Data Protection Act will be brought in across the UK, and landlords dealing with personal information and data about their tenants need to be up to speed on how the new regulation will affect them.
The new legislation, known as GDPR, replaces the Data Protection Directive and affects anyone who offers goods or a service, holds personal data about people, processes personal information and uses wholly or partly automated means to do so.
Personal data can include names, phone numbers, email addresses, dates of birth, bank details, and identification documents, while even the use of a smartphone to process any of the tenant’s personal information amounts to automated processing.
Registering with the Information Commissioner’s Office
There is a lack of clarity over whether or not individual landlords are directly affected by GDPR, or need to be registered with the ICO, under the Data Protection Act, in order to operate. According to Landlord Today, unless you have a large amount of property and process a lot of personal data, you probably don’t need to register. However, if there is a security breach regarding anything which contains any of your tenants’ personal data, you must inform the ICO as well as the tenants.
Landlords must be able to identify their need to hold the personal data of their tenants in a number of ways, in order to prove they have a lawful basis for processing the information:
- They have the consent of the person whose data they hold
- The data is necessary for the letting contract
- The landlord is legally required to hold the information
- The landlord can prove a vital interest in passing the data to a third party, such as passing the names on to utility companies or providing contact details to contractors when work needs to be carried out
Keeping tenant information safe
All landlords should be aware of exactly where the data they hold on tenants is kept, and ensure that it is safe. If keeping physical records, they must be kept secure at all times, while digital records must be protected by passwords. It is also important to permanently delete any data which is no longer needed as, under GDPR, a former tenant can request that all their information be removed from your records.
Landlord Today says: “Whatever you do, under GDPR you need to bear in mind that you should only be doing things with people’s information that they would reasonably expect you to be doing. Take time to think about what you are doing with their information in the context of the reason they gave it to you.”
The consequences of non-compliance
If anyone is found in breach of the new GDPR rules, they risk being fined up to 4% of their global annual turnover or €20m, whichever is greater. This maximum would only apply for the most serious infringement, and fines are generally tiered depending on the level of non-compliance.
To read more about GDPR, see the official website.