Buying Or Letting A Home? GDPR Could Affect You

It’s finally here, the month that the General Data Protection Regulations (GDPR) come into force, and we can no longer ignore what impact it may have on us. 

The aim of GDPR is to give people more control over their personal data. Although it’s EU-based regulation, it will come into force regardless of Brexit and will replace the Data Protection Act on 25 May 2018.

But while arguments rage over how big business may be using our private details to sell us products or influence elections, how will the new regulations affect someone buying or renting a property?

Landlords and personal data: What GDPR says

Under GDPR, landlords are responsible for how tenants’ personal information is collected, used and stored.

You obviously need to keep personal information such as names, email and internet provider addresses, employment details and benefit applications. But you must also ensure that only information for legitimate business needs is collected and kept, and then only for the minimum necessary time, not forgetting tax record requirements.

Your responsibility regarding third party “data processors”

As the landlord, you are a “data controller”, but you’re also responsible for the actions of anyone you employ as a “data processor”; this could be a credit check agency or lettings agency and you need to confirm they have suitable GDPR policies in place.

Punishment for breaches of GDPR

If you breach the GDPR, the Information Commissioner’s Office could fine you up to 4% of your turnover (or £20 million, whichever is greater, though the ICO has stated fines are likely to be below £1-2 million!). You could also be sued by your tenant for compensation.

Five immediate actions for complying with GDPR

With the potential cost of doing nothing so high, we’ve come up with a list of initial actions to make sure you’re heading towards compliance.

Ask for consent. As a landlord, you must ask for explicit consent from a tenant to collect, use and store specific information from them. Your request should include the following:

• Your name, company name, and the name of relevant third parties working on your behalf

• Why you need to collect the data

• How the data will be used

• How consent for a third-party processor can be withdrawn

• What the process is for completely withdrawing consentIt’s best to ask for, and keep, written consent.

Review the data you hold. Check all the personal information you currently hold, to confirm:

• Is it accurate?

• Do you really need it for your business?

• How securely is it being held?

• Do you still need to keep it and how would you delete it securely?

• Are you abiding by your own GDPR rules?

It’s also a good idea to review the data you hold every year.

Do you need to register with the ICO? 

The law entitles landlords to ask for a reference and to share the tenant’s details with a third party for the purpose of a contract of tenure, so small scale landlords probably won’t have to register. However, if you plan to share details with a third party for any other reason, then you need to register with the ICO. You can get more registration details on the ICO website.

Create a privacy policy. This sets out to tenants exactly how you collect and hold personal data. Your policy should include:

• What information is being collected?

• Who collects it, and how?

• Why it’s being collected?

• How it will be used?

• Who it will be shared with?

• How collected data will affect the tenant

You should also make sure that it explains how a tenant can withdraw consent for you to hold and use their data in the future.

Review all third party data processors you work with. 

Make sure that you aren’t putting yourself at risk through bad practices by a third party; ask for a copy of their privacy policy to confirm that all personal data provided by you will be processed in accordance with GDPR. Keep a copy of their reply.

Buying a house?

Estate agents do not require your explicit consent to collect your details if you register with them purely to find the property you’re looking for.

If they want to send you direct mailing or SMS marketing, then they need your specific consent for that. 

Simpsons makes sure you’re GDPR compliant

As a responsible business, we make sure at Simpsons of Abingdon that our clients have all the facts about the law. For more information about how GDPR could affect you, then contact us or ring us on 01235 520079.